Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"Security at the expense of usability comes at the expense of security."

Technically yeah, device-bound keys are "more secure", but not if that results in people continuing to just use passwords instead because updating your credentials on dozens of sites every time you get a new phone or security key is too difficult.

Synced WebAuthn credentials are at least as secure as a properly-used password manager, way more usable, and a lot more secure than passwords, which is what they're replacing. Besides, there's still the option of using separate device-bound keys for situations where even higher levels of security are required.



There really does need to be a standard way to update credentials that works on every site...




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: