Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Passkeys require a password manager, so at most, this locks you into a password manager - choose carefully!

But it’s not that locked in. You can generate new passkeys for a different password manager, so migration is more of an annoyance, if you do it gradually. Having more than one password manager for a while isn’t so bad.



> Passkeys require a password manager

No, they do not. For the vast majority they will simply require using the two major closed OSes which desire to lock the user in. Importantly the OS layer is where they will first encounter keypass, and so that is where the vast majority of keypass will happen, which is as gp said, the lock in factor.

Advanced users such as that that browse this site, will make use a password manager. Due to the extra effort involved, such users are a minority.


iOS and Chrome (often on Android, but not necessarily) have built-in password managers. I use both! I believe Windows has one, too.

It's true that a lot of people who don't really think about which password manager they should use will end up using one of those by default. (Much like happens with web browsers.)

Getting the masses to use password managers regularly will greatly improve security. It would be better if more people made a deliberate choice, though.


Now that the FIDO alliance transfer protocol has been hashed out, Passkey transfer has been announced to be coming in iOS/macOS 26, I assume it's also coming to the other password managers


If you already had a password manager, of what good is the passkey?


One improvement is that they use public key cryptography, so they will never show up on Have I Been Pwned due to poor website security.

But yeah, if you use a password manager you’re probably doing better than most people.


If they wanted to improve things, they could include a small little xml link in their password change and registration pages that tells my password manager what passwords are allowed so it could auto-generate them rather than me trying to find out that they disallow anything longer than 32 characters, or that the ampersand isn't permitted. (Or, like years ago, when I discovered that Adobe didn't disallow long passwords they just truncated them to 64 characters internally and wouldn't accept the longer one after.)


Passkeys solve all that by hiding key generation entirely from users. But it requires a password manager and good backups.


Hiding things from me is never going to be a good thing. Hiding things from most people will never be a good thing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: