Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

All the implementations i've seen do both, you "HAVE" your phone, and you "ARE" yourself because touchid, faceid, passkey was used to unlock the key on the phone/bitwarden/whatever your using the passkey on, you still have to unlock the vault on the device you have to use the passkey


"Thing you are" is not a replacement for "thing you know" because it can't be rotated (except surgically, and... nope)


There's really no need to rotate it because the biometric is only used locally. Your private key is kept encrypted at rest on your device, and a biometric (or PIN or password) is used to decrypt it during the passkey "do you have the correct private key?" authentication challenge.

The remote server only sees the result of the "do you have the correct private key?" challenge, not the biometric/PIN/password unlocking the private key that happens locally.


No-one's forcing you to use biometrics. Stick a strong password on your device and now it's guarded by something you know.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: