frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Things I learnt about passkeys when building passkeybot

https://enzom.dev/b/passkeys/
54•emadda•3h ago

Comments

BoppreH•2h ago
Love these "lessons learned" posts, keep the coming!

My only feedback is about the Quickstart of passkeybot, "feed this example into a good LLM with these instructions". I undeerstand the idea, but I was a bit shocked that the first time I see these sort of instructions is for an auth framework.

loloquwowndueo•2h ago
How to add passkeybot support to your site, according to their official guide:

start

(1) Copy / paste example_http_server into your LLM of choice (use a paid/good model). (2) Prompt: Implement the HTTP handlers here for my project,..

Um, no? How about you give me real instructions on how to do it? I’m not going to delegate a security-critical task to an LLM. And since I need to review it carefully myself anyway, I might as well write it all by hand, right? Like, the whole premise is I just need to implement a couple of webhooks.

gear54rus•1h ago
It's absolutely hilarious that someone would think that this passes for API docs nowdays. Still it's good to know what to avoid on the very first glance.
jiggawatts•44m ago
It's also a bit of a "bootstrapping" issue. How does anyone expect the AIs to learn to do things correctly if the instructions are not published for them to pick up during training?

This is like those "contact your system admin" error messages. I am the system admin!

the_mitsuhiko•32m ago
I think it's good. Quite frankly, it's the better experience to be given the right prompts to onboard into something than having to guess that the inputs are the right for the LLM.
ChrisMarshallNY•1h ago
Thanks for that!

I am in the middle of writing a passkey-driven server dashboard app (native SwiftUI app, with a small server component).

In the future, I would like to use passkeys as much as possible, but they do present a bit more friction to users than Sign in with Apple. When I was initially learning them I wrote this up: https://littlegreenviper.com/series/passkeys/

tptacek•1h ago
Regarding PKCE, the way I remember it is that OAuth2 was deliberately designed to eliminate as much actual cryptography as possible, relying instead on same-origin and TLS security; PKCE is one of the few things that introduces an actual cryptography primitive.
boombapoom•1h ago
i wish passkeys could replace passwords, not suppliment them
spockz•51m ago
Why? Passwords can be remembered and entered on other devices for recovery. The plethora of passkeys out there cannot.

A bit the same why although I love the keychain in macOS, it also makes me uncomfortable. Lose your phone and laptop in a theft or fire and you are locked out from your Apple account. Goodbye online presence.

wkat4242•41m ago
That's exactly the issue I have with passkeys. All that lockin to big tech. I tried bit warden but most sites with passkeys didn't work with it (like Amazon and PayPal). And on android it only wants to use the Google version (I don't use a Google account on my phone so that's not possible).
AlotOfReading•41m ago
The "standard" answer is that you should either use synced passkeys, or enroll multiple passkeys with the provider. The problem is that some providers (e.g. Paypal, some banks) only support one passkey, and synced passkeys aren't supposed to be trusted for attestation (unless they're synced by Apple/Google/Microsoft).
AlotOfReading•47m ago
And I wish passkeys could cover all the use cases of passwords, yet here we are. Passwords are simple and well understood. Passkeys have all sorts of sharp edges that you won't discover until you're hurt by them.
xg15•1h ago
> generateKey is a JS API that allows you to create new key pairs, where the private key cannot be extracted similar to passkeys.

Is that "cannot be extracted" from JS only, or is this an actual device-locked, TPM/SEP-bound key like passkeys?

If it is, it seems kind of like the buried lede to me that there is a browser API that lets any website built its own completely unstandardized quasi-passkey system and lock the key to the current device.

ajross•36m ago
Yes, where practical. Though recognize that by their very nature web apps aren't part of the trust network. The browser and security stack can make a key for them to use, but it's not possible to be sure that the user of that key is not subject to attack at the backend (or even front end, really the best you can do there is XSS protection, which is hardly at the standard of "crytographically secure").

And likewise you as the app vendor can know the key was generated, and that it works, but you can't[1] know that it's actually locked to a device or that it's non-exportable. You could be running in a virtualized environment that logged everything.

Basically it's not really that useful. Which is sort of true for security hardware in general. It's great for the stuff the device vendors have wired up (which amounts to "secured boot", "identifying specific known devices" and "validating human user biometrics on a secured device"), but not really extensible in the way you'd want it to be.

[1] Within the bounds of this particular API, anyway. There may be some form of vendor signing you can use to e.g. verify that it was done on iOS or ChromeOS or some other fully-secured platform. I honestly don't know.

smallnix•39m ago
In oauth2: when I /1 associate a random uuidv4 for each new flow with my user (server side), /2 stick that uuid into the state parameter, and then /3 look up my user with this on callback-endpoint execution. Isn't PKCE in that case redundant?

The Illustrated Transformer

https://jalammar.github.io/illustrated-transformer/
159•auraham•3h ago•34 comments

Ultrasound Cancer Treatment: Sound Waves Fight Tumors

https://spectrum.ieee.org/ultrasound-cancer-treatment
100•rbanffy•2h ago•28 comments

GLM-4.7: Advancing the Coding Capability

https://z.ai/blog/glm-4.7
156•pretext•3h ago•46 comments

The Garbage Collection Handbook

https://gchandbook.org/index.html
91•andsoitis•2h ago•4 comments

Feds demand compromise on Colorado River while states flounder

https://nevadacurrent.com/2025/12/22/feds-demand-compromise-on-colorado-river-states-flounder-des...
27•mooreds•1h ago•30 comments

Claude Code gets native LSP support

https://github.com/anthropics/claude-code/blob/main/CHANGELOG.md
236•JamesSwift•6h ago•133 comments

Is the golden age of Indie software over?

https://successfulsoftware.net/2025/12/22/is-the-golden-age-of-indie-software-over/
28•hermitcrab•1h ago•26 comments

NIST was 5 μs off UTC after last week's power cut

https://www.jeffgeerling.com/blog/2025/nist-was-5-μs-utc-after-last-weeks-power-cut
125•jtokoph•5h ago•63 comments

Flock Exposed Its AI-Powered Cameras to the Internet. We Tracked Ourselves

https://www.404media.co/flock-exposed-its-ai-powered-cameras-to-the-internet-we-tracked-ourselves/
184•chaps•5h ago•252 comments

Scaling LLMs to Larger Codebases

https://blog.kierangill.xyz/oversight-and-guidance
183•kierangill•6h ago•77 comments

Things I learnt about passkeys when building passkeybot

https://enzom.dev/b/passkeys/
54•emadda•3h ago•13 comments

Tc – Theodore Calvin's language-agnostic testing framework

https://github.com/ahoward/tc
4•mooreds•26m ago•0 comments

US blocks all offshore wind construction, says reason is classified

https://arstechnica.com/science/2025/12/us-government-finds-new-excuse-to-stop-construction-of-of...
282•rbanffy•2h ago•222 comments

How the RESISTORS put computing into 1960s counter-culture

https://spectrum.ieee.org/teenage-hackers
12•rbanffy•5d ago•1 comments

Hybrid Aerial Underwater Drone – Bachelor Project [video]

https://www.youtube.com/watch?v=g7vmPFZrYAk
25•nhma•13h ago•10 comments

Show HN: It's Like Clay but in Google Sheets

https://www.getvurge.com/
7•rahulsingh34•4d ago•2 comments

Uplane (YC F25) Is Hiring Founding Engineers (Full-Stack and AI)

https://www.useparallel.com/uplane1/careers
1•MarvinStarter•5h ago

The biggest CRT ever made: Sony's PVM-4300

https://dfarq.homeip.net/the-biggest-crt-ever-made-sonys-pvm-4300/
200•giuliomagnifico•9h ago•131 comments

Vince Zampella, developer of Call of Duty and Battlefield has died

https://comicbook.com/gaming/news/vince-zampella-developer-of-call-of-duty-and-battlefield-dead-a...
69•superpupervlad•2h ago•35 comments

In Pursuit of Clancy Sigal (2021)

https://yalereview.org/article/in-pursuit-of-clancy-sigal
7•dang•2h ago•0 comments

Jimmy Lai Is a Martyr for Freedom

https://reason.com/2025/12/19/jimmy-lai-is-a-martyr-for-freedom/
245•mooreds•5h ago•113 comments

Universal Reasoning Model (53.8% pass 1 ARC1 and 16.0% ARC 2)

https://arxiv.org/abs/2512.14693
19•marojejian•3h ago•2 comments

The Rise of SQL:the second programming language everyone needs to know

https://spectrum.ieee.org/the-rise-of-sql
63•b-man•4d ago•56 comments

Henge Finder

https://hengefinder.rcdis.co/#learn
36•recursecenter•4h ago•7 comments

Debian's Git Transition

https://diziet.dreamwidth.org/20436.html
170•all-along•14h ago•59 comments

It's Always TCP_NODELAY

https://brooker.co.za/blog/2024/05/09/nagle.html
10•eieio•1h ago•1 comments

The ancient monuments saluting the winter solstice

https://www.bbc.com/culture/article/20251219-the-ancient-monuments-saluting-the-winter-solstice
158•1659447091•12h ago•84 comments

Programming languages used for music

https://timthompson.com/plum/cgi/showlist.cgi?sort=name&concise=yes
215•ofalkaed•2d ago•83 comments

State regulators vote to keep utility profits high angering customers across CA

https://www.latimes.com/environment/story/2025-12-18/state-regulators-vote-to-keep-utility-profit...
46•connor11528•3h ago•15 comments

There's no such thing as a fake feather [video]

https://www.youtube.com/watch?v=N5yV1Q9O6r4
63•surprisetalk•4d ago•25 comments