Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If I may, I'll repeat a comment I made a few days ago:

Give me an implementation I can self-host, without Google, Apple, etc. having effective control (including claws in my relevant software supply chain) and with an easy user experience, where I can maintain secure backups (on my own infrastructure, thank you) and smooth transition to future devices, and ideally, if needed, securely export root keys (cause if I don't control them then someone else owns them), and maybe I'll be interested.

In the meantime plain old high-entropy passwords with a good manager gives me all those features and a simplicity that's hard to beat.

In my 30+ years of computing I've suffered more harm from failures of other companies than I have from any failure of my own diligence. The whole lesson learned is to reduce trust in them and, maybe I'm wrong, but everything I've read about passkeys and the like seems to put me at liberty of the companies developing and pushing the implementations of them down my throat. It will take a lot of trust before I give up my ability to copy/paste my credentials.

(https://news.ycombinator.com/item?id=37794379#37796842)



As I understand it (which mean I can be completely wrong), in order to utilize Passkeys, at least at the browser level, you need support within the browser.

Firefox has a build that supports passkeys, and I believe 1Password has an extension for Firefox that supports passkeys.

If "all you need" for Passkey support is a custom extension, it should be straightforward to create one that does whatever you want (including storing your private keys in plain text in your home directory, which many argue is a bad idea, but that's not the point).

Is 1Password a magically signed and authorized extension, or can any Joe pound out a quick hack using JS and Firefox?

I appreciate that the client and credential management should be sophisticated and secure, etc. But the API is the API, it's supposed to be an open API, and I can understand Chrome, Safari, and Edge, being closed source browsers, may or may not allow anyone to hack their own keystore regimen.

But, I don't think Firefox is doing that (unless the 1Password extension is magically blessed by Firefox somehow). At a minimum, you can always go the source, and rebuild Firefox to do what you want. Involved, to be sure, but possible.


Presumably your current password manager meets those requirements. Why not just use it (if it doesn't support passkeys today, it surely will) to manage your passkeys as well?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: