Hacker News new | past | comments | ask | show | jobs | submit login

Yes. When TOTP debuted, it was aimed at and designed by security engineers. Keeping secrets on-device was and is correct for serious uses.

Google Authenticator is a victim of its own popularity. Fortunately, the field moved on, and we now have WebAuthn and Passkeys for non-exportable private authentication keys.




Sadly, WebAuthn is also becoming a victim in the same way (at least on iOS).

The expectation is that WebAuthn private keys are stored in the secure enclave, which would be a comparable security guarantee to YubiKeys and other hardware devices.

"Passkeys" are now forcibly synced via iCloud, you can't use WebAuthn on iOS without enabling iCloud Keychain.


Huh, thanks, I wrongly assumed that Passkeys inherited WebAuthn’s attestations for hardware-backed keys. I guess organizations will need to ban Passkeys internally.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: