Hacker News new | past | comments | ask | show | jobs | submit login

Most of these concerns are luckily not a problem in practice, I'll try to go through them one by one.

> In the future I'm imagining my 2FA secrets being stolen from my browser, or being used to track me.

The API does not provide access to secrets. Keys remain on the WebAuthn device, and the device only signs data and sends that back. The key is likely also stored in a way that makes extraction hard - for hardware tokens, past attacks of this nature mostly required physical access, and modern iPhones and some Android devices have high-quality key stores offering similar protection. AFAIK keys used by these devices differ for each origin/domain (IIRC through some crypto magic on hardware devices, as they don't have space for many keys), preventing cross-origin tracking.

> Google "for my convenience" automatically logs me in so it can track me?

Most (all?) implementations I'm aware of require approval on the token (physical tap, approval of a prompt). Browsers also tend to show a prompt/notification when sites use this feature.

> Or perhaps, my bank checking my battery level, WiFi hot spots, and the model of phone when it pulls the 2FA tokens to verify my location.

The API does not allow this level of access.

> Also, I can only log on with their app on my phone, because the tokens are hidden, further making my desktop useless.

There is nothing stopping you from using hardware tokens (which use the same standard) or even soft tokens running on your desktop. IIRC GitHub created a desktop implementation utilizing the Secure Enclave that modern Macs come with for this purpose.

> Maybe a website figures out how to use JavaScript to generate another logins tokens. It takes an hour of tokens, and feeds it into hashcat on AWS to break my key.

This does not make sense with the implementation in mind - the key is stored on a separate device and the browser only ever gets something that was signed using said key.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: