Hacker News new | past | comments | ask | show | jobs | submit login

How can a user, right now, take control + ownership of backing up their own pass keys, without iCloud or Google?

This is a privilege I currently enjoy right now, and one I am not really eager to give up.




It depends on your web browser. Just see what happens here https://webauthn.io/

Firefox on Desktop tells me to "touch my security key". Not sure how that works. Firefox Android gives me a few hardware options to store my passkey to. Chrome Desktop asks me to enable Bluetooth. Chrome Android asks which Google Account to use.


Just tried that with Firefox on Android and while it works, I can't find any evidence of a stored passkey on my device, let alone a way to export it.


Are on Linux? AFAIK it doesn't work on Desktop Linux.


I use passkeys everywhere I find them. I do not take control or ownership of backing up - instead I have alternative 2fa or hardware key authentication with all those accounts.

For every account I have a hardware key for, there are 3 hardware keys associated with that account - 2 on-site, 1 off-site.


How do you register your off-site hardware key. Did you have to go retrieve it each time you wanted to make an account?

I suppose every time one makes an account one can register the two on-site keys, and then rotate one of your on-site key to off-site and take the off-site key home with you, and then finally register it.

Maybe I should get a third key...


I think you answered your own question! The three key is optimum for ease of rotating (or so you can carry one on person) - but if your house burns down with your phone in it - you will lose anything set up since your last offsite rotation.

Sounds paranoid / crazy - but I have 0 anxiety about being locked out of an account that matters.


Which hardware keys are you using? And have you found any difficulty in adding multiple keys to a web site?


Yubikey keys - zero difficulty adding multiple - if a site doesn't allow multiple I wouldn't lock my account down to a single point of failure. All the big players seem to offer it, and I can not recall any that didn't. Google in the "advanced protection" days forced you to have more than 2 keys for this reason.

By count of sites, most sites don't appear to take security that seriously so anything more than a password is off the cards, but the big ones - the ones that actually matter; email, cloud, etc. should all be able to be secured.


I've got security keys on Yubikeys, Android devices, and Windows devices. Only one of these are Google.


Password managers like Dashlane and 1Password have announced support for storing and synching passkeys. As passkeys becomes more popular I expect more providers to step up as well.

Ecosystem lockin is not how we make a new technology like this successful. And all players in the game understand that.


1Password does not give control and ownership.[1]

[1] https://news.ycombinator.com/item?id=37836783


Appreciate the response. And I wish this message was front and center. The Attestation feature is what worries me, when, say, the bank turns it on for a few 'blessed' providers, or mandate a hardware implementation.

Watching https://github.com/keepassxreboot/keepassxc/issues/1870 with baited breath... :)


Your concern around attestation (mis)use is spot on. I'd say the industry is yet to arrive at an acceptable consensus or compromise on that question.


I use 1Password [0] for syncing passkeys, and it works quite well. I would imagine other password managers are building similar features.

[0]: https://support.1password.com/save-use-passkeys/


1Password does not give control and ownership.[1]

[1] https://news.ycombinator.com/item?id=37836783




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: