logoalt Hacker News

lxgryesterday at 10:17 PM2 repliesview on HN

> Generally, authenticators are “something you have.”

Shameless plug: Here's one that is "something you know" :) https://github.com/lxgr/brainchain

It derives all keypairs from a passphrase, and rederives the private key from the key handle, similar to "stateless" hardware authenticators.

Please don't use it for anything important – it's a fundamentally bad idea, similar to "brain wallets"; I only implemented it to figure out whether it was possible, and to improve my own understanding of the WebAuthN and FIDO specifications.

Replies

calraintoday at 1:03 AM

There was an interesting Kickstarter a while ago called DiceKeys https://www.crowdsupply.com/dicekeys/dicekeys that provided a physical mechanism to store the seed of a passkey.

If you then purchased passkeys that supported a custom seed, you could then replicate this seed to as many keys as you needed.

There are always security tradeoffs, but this was a mechanism to store something in the real world that had about 115 bits of entropy, as 'Something you know'

IshKebabtoday at 8:02 AM

Why is it fundamentally a bad idea? Seems like a reasonably good idea to me.