> Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.
Not more vulnerable than if they were just using password. You're still missing my point, password managers do not give you the ability to just copy-paste the private key of a passkey into a form field, unlike passwords. Some don't give you access to it at all (*cough* Apple *cough*). Sure you can get the private key if you have access to the password managers vault, but that's not what's being talked about. Common usage patterns matter immensely in security. At the end of the day, the attack surface for passkey-based authentication is smaller than password-based authentication, which is a step in the right direction.
> The parent wasn't giving security advice. They were asking a valid question.
The parent made a blatantly false and dangerous statement and then followed it up with a question. Did we read the same comment?
I agree that it's not more vulnerable than just using a password, I'm only saying that it's only slightly less vulnerable under the best circumstances and incredibly more vulnerable under the worst circumstances (ie. if somebody got ahold of your password manager).
I also agree that passkey-based authentication provides a smaller attack surface than purely password-based authentication.
But putting the passkey on a second device provides an even smaller attack surface since now a bad actor needs both your device (or a MITM attack) and your password.
This is an HN forum. Nobody's giving "security advice," but I do feel like the parent comment's question hasn't been answered. Why would one store passkeys in their password manager instead of on a separate device?
> I agree that it's not more vulnerable than just using a password, I'm only saying that it's only slightly less vulnerable under the best circumstances and incredibly more vulnerable under the worst circumstances (ie. if somebody got ahold of your password manager).
I feel like we might have a mismatch in understanding what a passkey is. You make a new keypair for each account to authenticate to. A leaked passkey is generally no more vulnerable than a password when leaked.
> But putting the passkey on a second device provides an even smaller attack surface since now a bad actor needs both your device (or a MITM attack) and your password.
Correct. The gold standard is a hardware secured, non-cloud synced private key.
> This is an HN forum. Nobody's giving "security advice,"
It's a technical forum with statements on a technical topic. Making statements like that can always be misinterpreted as technical advice by default.
> but I do feel like the parent comment's question hasn't been answered. Why would one store passkeys in their password manager instead of on a separate device?
This is fair. The answer is: convenience. It is most definitely worse security posture to sync passkeys than to store them on a separate, physical device that can answer challenges without leaking the private key.
The reason to use them over passwords is they are more secure, even when synced to a cloud vault.
Thanks for helping to clarify what we're talking about. I disagree with some of what you're saying, but I also see where you're coming from re: the convenience of passkeys in your pw manager.
Not more vulnerable than if they were just using password. You're still missing my point, password managers do not give you the ability to just copy-paste the private key of a passkey into a form field, unlike passwords. Some don't give you access to it at all (*cough* Apple *cough*). Sure you can get the private key if you have access to the password managers vault, but that's not what's being talked about. Common usage patterns matter immensely in security. At the end of the day, the attack surface for passkey-based authentication is smaller than password-based authentication, which is a step in the right direction.
> The parent wasn't giving security advice. They were asking a valid question.
The parent made a blatantly false and dangerous statement and then followed it up with a question. Did we read the same comment?