Fido keys can also be used without password or even an account name (but with pi... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		wkat4242 on Jan 19, 2024 \| parent \| context \| favorite \| on: Winding down Google Sync and Less Secure Apps supp... Fido keys can also be used without password or even an account name (but with pin which becomes the second factor in that scenario). They are very resistant to phishing because they do a challenge response every time that's bound to the domain name of the requesting site. So typosquatting tricks won't work. The private key is generated and stored in the token and they are very resistant to extraction. In general it's way safer than a password that can be intercepted and reused by anyone who knows it.

notatoad on Jan 20, 2024 [–]

but we're talking about google's implementation here, where fido keys are only a second factor. and in google's implementation, allowing passwords to be compromised means compromising your security, because their authentication flow is based around having more than just one factor.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact