Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Passkeys are not MFA, Passkeys are expected to be used as a single authentication factor.


The passkey security model is designed with the assumption of the passkey ties to a device. Using a password manager that's tied to a centralized service that's accessible from any web browser with an internet connection makes the security model different. It seems to me like a passkey on a password manager is no different than a username and password with NO 2FA security model.


The whole idea of Passkey is that the credentials are syncable. The main implementations of passkey are probably going to be Platforms (Google/Apple/Microsoft) and Password Managers. In both cases the credentials will be syncable and tied to a centralized service.

The main difference with passwords is that passkey are not phishable (since you never send them to the website you authenticate to)


Oh and for SSH, SSH CA and short lived SSH certificate is the only right way ^^ (I recommend Hashicorp Vault for this purpose. It also works for the host key)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: