Hacker News new | past | comments | ask | show | jobs | submit login

How easy will it be to implement? We should keep in mind the most dangerous guys out there store passwords in clear text in databases and other amateurish rookie mistakes. Having easy to use / impossible to f__k up libraries for every major platform is going to be critical.



There are two methods, IIRC. `get` and `create`. Everything is done with Challenge/Response with the browser handling the Private Stuff. It's hard to mess up, at a glance.

You ask the browser to create an asymetric key pair. It returns the public key, which the server saves. On login, you provide a challenge to the browser to sign using the private key from earlier. It returns the signed message and the server verifies the signature.


What if the user is trying to login via a device different from the first one?


I can't tell what "a device" means here.

If you mean "what it I only used Security Key A to register, but now I want to sign in with Security Key B?" the answer is that you can't, that's the wrong key. Register all the keys you want to use.

If you meant what if I registered with my Pixel phone and now want to sign in on my Windows PC, that just works fine. The client "state" lives in the Security Key (actually there is no state whatsoever in affordable designs), it's very clever cryptography.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: