Hacker News new | past | comments | ask | show | jobs | submit login

You still need my password or fingerprint to usea passkey, and can't transfer it from my device to yours.



Doesn't sound a whole lot different from TOTP to me.


You can't MITM a passkey, you can MITM a TOTP challenge.

That is, passkeys cannot be phished. The only way to get into my passkey protected account is to physically gain access to my passkey device, which requires both physical access to the device, and a second factor like a face/fingperprint or PIN/password.

Additionally, the TOTP secret can be copied, while today passkeys don't allow that either.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: