Hacker News new | past | comments | ask | show | jobs | submit login

One thing I don't understand about offering passkey login for your email is how you would go about recovering an account if you lost access to the device which holds your passkey? Google states: "When you create a passkey, you opt in to a passkey-first, password-less sign-in experience.". This seems to imply that you will not be able to use your old password if you ever lost your phone. Do Google still offer backup passwords for recovery purposes if you switch to passkeys? Their site doesn't seem to explain this.

https://support.google.com/accounts/answer/13548313?hl=en#zi...




Think of passkeys as being the same as a password database. The provider can offer whatever recovery mechanism they want, and sites that use passkeys can continue to offer account recovery methods completely independent of their use of passkeys.

As for what Google does specifically with their implementation, I'm not sure. I personally plan to use KeepassXC's implementation, whenever that comes out, with my own custom database backup strategy.


This is an area with the specs contrast with the vendors.

The WebAuthn specs recommends to register multiple passkeys/credentials per device and assume that once a credential is lost it might not be recoverable.

Apple and other vendors using keychains/wallets are effectively offering the option to delegate the recovery of the passkey to the recovery of the account with them (eg: the iCloud account).

In case it is of interest, we wrote a long blogpost on the topic: https://www.slashid.dev/blog/passkeys-security-implementatio...


You can still use your password today on a Google account with passkeys. And account recovery via other means (depending on a lot of things) is still available.

It's too early to completely replace all methods with passkeys, but the hope is that as they gain better support and understanding websites will be able to make other methods rare/exceptional. For exceptional cases such as account recovery, as opposed to day-to-day account sign-in, there is room to apply a lot of other abuse signals and other methods to make it harder for attackers.

More here: https://security.googleblog.com/2023/05/so-long-passwords-th....


Same way as you recover a password stored in your password manager. It's pretty much the same thing.


The way I do that is I memorise my password manager master key. How do I do that with a passkey?


Same way, your password manager will hold the passkey token instead of password. Recovering passkey is done the same as you recover your random generated password.


Email magic link, recovery codes, web of trust (recovery contacts), or remote government credentials proofing (ID.me, Stripe Identity, etc).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: