With passkeys there is nothing to check manually. If it works, you know it's the... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		yawaramin 16 days ago \| parent \| context \| favorite \| on: DuckDB NPM packages 1.3.3 and 1.29.2 compromised w... With passkeys there is nothing to check manually. If it works, you know it's the domain you registered on. If it doesn't work, you log in with a non-phishable auth method like emailed magic link, then register a new passkey. You could claim that a phishing site could set up their own passkey registration system–but that still wouldn't give them access to the target's real account.

diggan 15 days ago [–]

> With passkeys there is nothing to check manually. If it works, you know it's the domain you registered on. If it doesn't work,

So exactly the same as password managers, there is no functional difference if you were using a password manager...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact