Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah, I've been very disappointed that bitwarden haven't implemented passkey and OTP storage using a KMS.

Sure, I'd have to be online then to use a passkey stored in bitwarden. But it wouldn't something that could be stolen off bitwarden.

And I could reasonably protect bitwarden with a physical passkey.



> But it wouldn't something that could be stolen off bitwarden.

Hah. I'm not the only one thinking about ways to use AWS KMS for it!

But the attacker can still impersonate you and ask the HSM service to sign data for them.

Ideally, I really want a system with a proof of physical interaction. The existing HSM APIs are not well-suited for that. But if you can trust the software that runs on the service that provides the HSM access, then this can be done with minor caveats on macOS.


If the passkeys were stored in some cloud KMS, then yes someone could still impersonate me.

Ideally, but they wouldn't be able to steal the keys, it would only be temporary.

That said, yes, we'd have to trust the server side software that grants access to the keys in KMS.

In the end this level of indirection would sort of defeat the point. It wouldn't really be better than OIDC using a provider where you have a passkey.

Incidentally, I have 2FA on important accounts, and prefer to use Google/GitHub/Facebook for sign-in on other sites whenever possible.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: