Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Passkeys are meant to be a password _replacement_, and for that you probably want the 2-factor properties afforded by phones or desktops which usually require "something you know" or "something you are" to unlock in addition to the "something you have" afforded by physically possessing them

Yes because the keys have a PIN just for this usecase. Similar to the ATM card or SIM card you already know



The impression that I get though is that the PIN's are typically short (especially if we have to enter them every time it is to access the key). Now, how physically save are hardware keys that the actual private key can't be extracted from them? In contrast to an ATM or SIM we essentially rely on the device to enforce the "max number of attempts", not an external entity.

Once the key is extracted brute forcing the PIN is not a problem, because it likely is going to be simple. Unless somehow the devices are going to enforce long PINs.


The PIN doesn't have to be long because the key will block itself after a very limited number of attempts. Just like with your bank card.

Extracting the key is another issue but the chips used in these are hardened. They are just like the secure element in phones.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: