Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Among other things, they are completely unfishable.

From what I've heard, they're also unbackupable, and tied to the ecosystem used to create them (so if you started with an Apple desktop, you can't later migrate the passkeys to a Windows desktop, you have to go to every single site you've ever used and create new ones).



You can't really backup hardware tokens, either? It's quite possible to use something like bitwarden/vaultwarden/1password as a password manager, and you can "backup" tokens quite easily without being tied to a particular mobile/desktop ecosystem.


You can just create a new passkey on the new device after logging in. It's a non-issue.


It is not a given that multiple services let you enroll multiple keys. How many year did it take before Amazon allowed multiple Yubikeys? Which means you are in a real pickle if you ever lose your one hardware device with keys (lost, stolen, bricked, whatever).


It's an incorrect implementation, the same as when eg an account provider truncates a long password to 8 characters.


That’s not true anymore; you can migrate passkeys to another password manager now.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: