The advantage is that the password never leave the device. It has a public key and signs challenges with the private key but nothing sensitive goes over the wire on every login
It should be noted that that is not an inherential advantage of passkeys over passwords. It is possible to achieve the same with passwords, e.g. by using a hash-cascade.
Sure, but then you still need a protocol between user agent and website. If you just do this in Javascript, you're not protected against phishing sites just forwarding the password entered directly.
Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain
> Sure, but then you still need a protocol between user agent and website.
Yes of course. Just like you do for passkeys.
> Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain
No, not quite. It's written on there:
> "Login" with your passphrase, and you can create non-discoverable WebAuthN credentials (don't call them passkeys, but definitely be reminded of them) at ~all~ some websites supporting them (...)
That's the thing: with passwords, a website/app cannot prevent you from controlling the password yourself. With passkeys and attestation it can.
But attestation for passkeys is dead. Neither Apple's, nor Google's implementation (with negligible exceptions) support it anymore, so any site demanding attestation will immediately disqualify > 99% of all potential users.
Some still might, e.g. for corporate or high security contexts, but I don't think it'll become a mass-adopted thing if things don't somehow drastically change course.
It's still in the standard. They could remove it, but they don't, so from my perspective it's just like how Google wasn't evil. Until they decided otherwise.
Yes, because hardware authenticators (like Yubikeys) still commonly support it, and it makes sense there.
I guess they could add an explicit remark like "synchronized credentials must not support attestation", and given the amount of FUD this regularly seems to generate I'd appreciate that. But attestation semantics seem to be governed more by FIDO than the W3C, so putting that in the WebAuthN spec would be a bit awkward, I think.
Hm, I disagree. I prefer if the user has the freedom to choose how they want to do things. At the cost of some users choosing the wrong way and then getting problems. It's a question of balance, but when I look at recent tech/internet history, I tend to not want to give central authorities any more power than they already have.
Ideally, sure, but the reality is just that some entities are not only reputationally, but also legally required to bear the liability for account takeovers.
In other words, you have a principal-agent problem: Users doing custom software passkey acrobatics and the banks liable for any funds lost.
Preferably, use of attestation should be limited to these (and enterprise) scenarios, and I do share the concern of others starting to use them as weak proofs of humanity etc.
> Ideally, sure, but the reality is just that some entities are not only reputationally, but also legally required to bear the liability for account takeovers.
Seems like an absolutely rare edge case to me. Or maybe even just a misunderstanding. I doubt there is a law that says that. If anything, I could imagine a law saying that a company has to take "sufficient precautions".
But even if what you say were to be true - that's not something to solve with tech. That means the law should be changed.
Bank and payment card transactions are arguably a pretty big part of everyday life to most people.
> I doubt there is a law that says that.
Reg E/Z in the US and PSD2 in the EU pretty firmly put the burden for these types of situations/losses on the bank/PSP. They don't specifically mandate the "how", but for better or worse, industry perception and common practice is for that to include root detection, blocking VoIP numbers from receiving SMS-OTPs etc.
> That means the law should be changed.
The law that makes banks liable for most cases of account compromise? I'm actually quite happy with that, even if it comes with some unfortunate externalities.
It is absolutely unfair to say it. Just like passwords stored in a password manager, passkeys can be copied out of the device for safekeeping. Because you can copy them out, a user can be induced to give them to someone.
I saw passkey boosters go very, very rapidly from "Passkeys are immune to phishing!" to "Passkeys are phishing resistant!" when lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around.
Yes, they're synchronized, but I wouldn't call that "copying them out", as that to me implies somehow getting access to the raw private key or root secret bytes.
Both Apple and Google have pretty elaborate ceremonies for adding a new device to an existing account in a way that synchronizes over passkeys.
> ...as that to me implies somehow getting access to the raw private key or root secret bytes.
When passkeys were first introduced, they were 100% stuck to the device that they were created. There was absolutely no real way to copy them off. This is when proponents were -correctly- making the claim that they were immune to phishing.
When lots of users (who -notably- were not supported by whole-ass IT departments who set up and run systems that handle provisioning and enrolling new devices) started using passkeys, the correctness of the thing that many non-boosters were screaming ("You have to have a way to back these up and move them between devices!") became abundantly clear. Passkeys became something that could be copied off of devices, and proponents -correctly- switched to the claim "Passkeys are phishing resistant".
Once things switched around so that passkeys were no longer stuck on a single device, third-party managers got the ability to manage and copy passkeys. [0]
Hopefully it's now clear that the shift from "they never leave the device" to "they do leave the device" (and the consequences of this change) is what I'm talking about.
[0] At least, they will for the next five, ten years until the big players decide that it's okay to use attestation to lock them out to "enhance security".
It sounds like part of the problem is that two rather separate standards of "phishing" are getting conflated:
1. "Hi, I'm your bank, log in just like you normally do." (Passkeys immune.)
2. "Hi, I'm your bank, do something strange I've never ever asked you to do before by uploading some special files or running this sketchy program." (Passkeys just resist.)
The problem with the expansive definition is it basically starts to encompass every kind of trick or social-engineering ever.
That qualifies as "immune to phishing" as far as I'm concerned. No reasonable person using a reasonable implementation will ever be successfully victimized in that manner.
We need to stop pretending that padded cells for the criminally incompetent are a desirable design target. If you are too stupid to realize that you are being taken for a ride when asked to go through a manual export process and fork over sensitive information (in this case your passkeys) to a third party then you have no business managing sensitive information to begin with. Such people should not have online accounts. We should not design technology to accommodate that level of incompetence.
If you can't stop driving your car into pedestrians in crosswalks you lose your license. If you can't stop handing over your bank account number to strangers who call you on the phone you lose all of your money. If you eat rotten food you get sick and possibly die. If you hop a fence and proceed to fall off of the cliff behind it you will most likely perish. To some extent the world inherently has sharp edges and we need to stop pretending that it doesn't because when we do that it makes the world a worse place.
I too am skeptical we’ll really be able to catch everyone. By making public tools we just create evals to beat the tools etc.
Still, right now I think we can tell, so I focused on making sure they were my words, but I let an llm help edit and I think it honestly made it much more readable
What parts felt too stretched? Or just as a composition would you have preferred I narrow it down? I thought it was fun that it goes a little overboard. To me it felt like doing so captured just how much these journeys can change over time.
I tried to focus on 3 main bits:
Early exploration, problems between people, and then how much is ultimately in or out of your control
The art’s aesthetic, which resembles Calvin and Hobbes, is disrespectful to its creator, Bill Watterson’s.
Bill spent a lot of energy fighting commercialization of his work, arguing that it would devalue his characters and their personalities. I don’t know what is cheaper than using an AI model to instantly generate similar art, for free.
You did do pretty well! I don't think the final result was ruined at all. Not many people will notice things like his pants only being brown in the first image, or their eyes only having whites in the third image, or his jacket sometimes having a hood and sometimes not.
Compared to what we see on most blogs, even patio11's, this is capital-A Art.
Hey hacker news! I wrote this and I’m glad it connected with folks.
To answer a few of your comments:
Writing is all mine but I had Claude proofread it, in addition to some close friends. Honestly it pointed out some great weaknesses in the original draft.
The art is all nano-banana through a tool called flora ai. I’d love to work with a human illustrator for something like this. I can draw, but I can’t paint and there’s an aesthetic here I think it handles better than I would have.
Man, it’s amazing that I can get something out there that expresses a vision all by myself. If this were a revenue generating project like an actual children’s book or something I’d love to work with someone that could bring it to life a bit more.
You left out the higher entity that takes away a significant portion of the snow that was accumulated at regular intervals.
It doesn't need to ruin the metaphor, though:
The sun could do that job. It could also explain the fact that the portion that's taken differs depending on where on earth you are creating the snowball.
This is one of my favourite styles of illustration and I really wanted to know the source. I read so many children’s books for my son and sometimes I take books from the library just for this clean style.
I know it wouldn’t have happened easily with Nano. Banana to keep things consistent across multiple images. I haven’t tried recently, but image generation gets progressively worse (darker and off base) as you generate multiple of them. So kudos for the amazing art.
As someone who had an interest in drawing as a child and have bought trackpads and tablets, but never had the time & developed the skill to actually create the things that I imagine, I completely understand what you did.
I know some people are going to be upset at model generated illustrations. But I think the alternate is probably, no illustrations. There’s a lot of unnecessary AI image slop all around and most add no value or worse makes you just avoid reading the content by their awfulness. This was done really well and I am not sure I would have read it fully without it.
> As someone who had an interest in drawing as a child and have bought trackpads and tablets
Buying digital drawing tools before you have the fundamentals nailed is a bad idea.
For anyone reading this who wants to learn how to draw: look up dynamic sketching, it’s a method that was developed by Norm Schureman at Art Center in LA in the 90s, targeted to getting product design students quickly up to speed. It’s very analytical and works well with engineer-brained people in my experience.
It’s mostly carried by Peter Han, a former student of his, these days, you can easily find resources online.
I completely agree. But, it’s one of those things you do “as a hobby”. I have also been gifted some Japanese drawing pencils because of my interest and occasional scribbles, but I have refused to open them because I can’t do justice to them.
Shoot a way to contact you to tecoholic at bawolf.com and I'll invite you to a copy of the board you can duplicate and mess around with.
I appreciate the sentiment and I agree. While I think there are countless humans who could do way better, I was never going to hire someone to illustrate this. Furthermore, I don't think it reads very interestingly without the images. I doubt it would have even gotten published.
But now thousands of people have seen it, it's shown that it can strike a chord. Maybe it is worth polishing a little more. It would be adorable as a small book
I bought the starter membership which is 20k credits for $18 and I have 5.7k credits left. They charge 50 credits a generation for nano banana. There was some LLM usage to plan the images too so the math is a little blurry but that should give you a rough sense
You might find this fun. There this sonic the hedgehog special stage from sonic three that takes place on a sphere. Recently I made a remake of it and they project a 2d grid onto a sphere, but the projection adjusts as you move, so no matter where you go, you never end up at a pole. The poles always stay on your sides.
The other interesting bit is that you can have an arbitrary map size and just repeat it. The game is 32x32 but it could be whatever.
People will like them when they’re good content. Right now we’re stuck in the in between where it’s kind of all or nothing ai, but it will get grayer when the feedback loops are tighter and building ai movies is more interactive. Same thing with any special effects really
I think AI has its place in special effects, but "making a blockbuster movie for $1000" requires replacing all the actors, music, cinematography, everything that makes a movie "art" except maybe the plot. And I have never seen anyone respond well to AI "art" of any form. I've seen some fairly passable (if a bit boring) AI music passed around on Reddit and it was universally met with disgust simply because it was AI.
