Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Are passkeys just another MFA?
2 points by Raed667 17 days ago | hide | past | favorite | 5 comments
When I initially read about passkeys, I understood they'd replace the email/password flow.

However, I have been using passkeys (when I can) with 1Password and so far my experience is that they "just" replace TOTP that were already pre-filled by 1Password anyway. So in terms of UX there is not a big gain.

I guess that the current advantage is that passkeys are cryptographically secure, while in theory 1Password TOTP auto-fill is based on just matching domain names.

Am I missing something here?




They can be. Depends on how the are implemented.

Passkeys can:

- Replace the whole login (including discovery of the user id)

- Just replace the password, after a user specified a user id

- Be used as a second factor just like TOTP

They are definitely more phishing resistant for what it’s worth, even if just used for MFA. TOTP codes can be copied manually by an unsuspecting user.


Thanks for the clarification! Do you know if any services that implemented the full flow including the discovery of user id ?


We do this for https://tender.run - the feature is called conditional mediation / ui. I found this article[0] helpful for implementation.

[0]: https://web.dev/articles/passkey-form-autofill#fetch_a_chall...


GitHub


See also: https://webauthn.io

If you want to explore more options.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: