Hacker News new | past | comments | ask | show | jobs | submit login

Several password managers support it at this point too, without any hardware requirements. Bitwarden's implementation works pretty well, for example.



But then of course you also lose one of the main security properties that made webauthn desirable in the first place.

If you can copy the credentials to your own new device, an adversary can copy them to their device also.


That's true of SMS 2FA too, though, as well as many TOTP implementations. Being able to copy credentials to a new device is a major usability plus, consequently it is widely implemented.

Physical webauthn tokens are obviously better, but software webauthn is the second best thing. Software TOTP is a good bit worse, and SMS OTP shouldn't even qualify as a secure method


Definitely, so for scenarios where I want the strongest possible 2FA, I use a hardware authenticator.

For everything else, WebAuthN based on a software authenticator is both more secure and more convenient than passwords, and realistically even than TOTP (having a higher takeover risk but lower phishing risk).


You can say the same thing about ssh keys.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: