Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Similar to a password there isn't a way to recover it if you forget it.

But dissimilar to a password in that you aren't ever expected to remember it, can't write it down, and in other ways.

> You can have it show a QR code that you can scan with phone, using your phone as a passkey.

I can't keep my phone in my safe and still use my phone.



>I can't keep my phone in my safe and still use my phone.

Okay, so don't put it in a safe. The key is stored securely in your phone.


> The key is stored securely in your phone.

No it's not, what if I drop my phone in the ocean. Sure in terms of encryption, secure storage and so on, it's securely stored. It's just no physically secured.

That's what concerns people. What happens if I lose my devices? What happens if I need to access an account which has been secured by a passkey, but I don't have any of my other devices, what do I do then?


You can't get the password from your safe when you're on the ocean and if your house burns down the little piece of paper will be ash the moment the flames reach the safe.

If you lose access to your phone, click "forgot password" and recover your account through your email address, the same way you would if you'd forget the combination to your safe.


Except you can't log into your email because you don't have your passkey (which was on your phone).


A lot of people only have a phone these days. It's way more likely that they lose their phone than their home burns down.

In Microsofts case they want to use passkeys for Outlook.com as well, so their advise on using an email as recovery makes no sense. Then you can use security questions, which honestly is possibly worse than username and password. The last option is via a linked phone number, which security experts also advise against.

My complaint about passkeys stand, without non-digital way of backing them up, as easy as writing a password on a post-it and stuffing it in your sock draw, it can see it being anything that a major hassle.

For some things, e.g. Github, Facebook and things of that nature, fine, go with passkeys. For your email account, may not.


Disagree.

I need an analogue way to get access to my accounts.

If my phone gets crunched, I should be able to go to a secondary device or secure sheet of paper and restore full access to my password safe/accounts. Nothing should be tied to one piece of hardware.

It's why I despise having to use proprietary TOTP like Symantec for banking. If my phone breaks, I have to go through a recovery process. If I could backup my TOTP with a normal app, it wouldn't be a problem.


Until someone pickpocket it - you need another phone as backup in your safe


> securely

I do not think that word means what I think you think that word means.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: