IdeaWell

Project ideas from Hacker News discussions.

Don't use passkeys for encrypting user data

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. Passkeys feel opaque and hard to manage
Users complain that the technology is “hidden” and that they can’t see or control what they’re actually storing.
- SoftTalker: “Managing them looks complicated and I don’t understand the ramifications of what I’m doing.”
- pibaker: “Passkeys are designed to be hidden from the user… people can’t get a grasp on passkeys… they keep losing their accounts for no good reason.”
- petee: “I started deleting every entry I couldn’t immediately recognize… I didn’t know these were passkeys.”

2. Security benefits clash with the risk of losing access
Passkeys are praised for phishing resistance, but many users fear that a lost device or accidental deletion will lock them out forever.
- realityking: “One advantage of passkeys is that they’re phishing‑resistant… bound to the website you created them for.”
- bensyverson: “If you encrypt data with a generated password and then delete it, you’re toast, and passkeys are no different.”
- pibaker: “If you lose the device, you lose the key and any data encrypted with it. The recovery process can be a nightmare.”

3. Attestation and platform lock‑in create distrust
The spec’s attestation feature and the way big‑tech ecosystems handle passkeys raise concerns about vendor control and future restrictions.
- hedora: “The standard includes a hardware attestation path… that’s the backdoor allowing the eventual takeover of your OS.”
- johncolanduoni: “Attestation is not about the OS or browser; it only attests to the device that holds the key.”
- hedora: “If they make attestation mandatory, you’ll be forced to use a patched OS with an attestation bit set in the key.”

4. Fragmented ecosystem and inconsistent support
Different browsers, OSes, and password managers implement passkeys in incompatible ways, leading to confusion and broken workflows.
- peterspath: “Bitwarden doesn’t export passkeys; Firefox on Linux can’t use them; Chrome on Windows works, but not everywhere.”
- buzer: “Passkeys are broken on PC/Linux when using Firefox… you have to use Chrome or Edge.”
- peterspath: “Some password managers inject JavaScript to handle passkeys, which is fragile and not universally supported.”

These four themes—opaque UX, security‑vs‑access trade‑offs, attestation/lock‑in fears, and ecosystem fragmentation—dominate the discussion.

🚀 Project Ideas

Passkey Guardian

Summary

  • Browser extension that gives users full visibility into their passkeys, showing which sites use which passkeys, warning before deletion, and allowing backup to a local encrypted file.
  • Core value proposition: reduces accidental data loss, improves passkey management, and provides transparency across browsers and password managers.

Details

Key Value
Target Audience Users of passkeys in browsers, especially those using password managers
Core Feature Passkey inventory, metadata display, deletion warnings, local encrypted backup, multi‑passkey support per site
Tech Stack TypeScript, WebExtensions API, IndexedDB, WebCrypto, optional Supabase for sync
Difficulty Medium
Monetization Hobby

Notes

  • “shepherdjerred” complains that passkey managers don’t show why deleting a passkey matters.
  • “mgrandl” and “arjie” highlight accidental deletion and lack of clarity.
  • The extension would surface metadata and warn users, directly addressing these frustrations.

SelfPass

Summary

  • Self‑hosted passkey vault that stores passkeys locally, supports export/import, encryption, and integrates with popular password managers, eliminating cloud lock‑in.
  • Core value proposition: gives users full control over their passkeys, solves export and backup pain points, and offers enterprise‑grade security.

Details

Key Value
Target Audience Power users, privacy‑conscious individuals, enterprises
Core Feature Local encrypted vault, REST API, CLI, web UI, export/import, integration with Bitwarden/1Password
Tech Stack Rust backend, PostgreSQL, WebSocket, React, WebCrypto
Difficulty High
Monetization Revenue‑ready: subscription for enterprise support

Notes

  • “borealid” and “peterspath” lament the lack of exportable passkeys.
  • “mgrandl” struggles with confusion over passkey storage.
  • SelfPass provides a self‑hosted, transparent solution that directly tackles these concerns.

BackupPass

Summary

  • Tool that creates a dedicated encryption key per backup file and encrypts that key with multiple passkeys (age‑style multi‑recipient encryption), ensuring data remains recoverable even if one passkey is lost.
  • Core value proposition: protects encrypted backups from accidental passkey loss and simplifies key management.

Details

Key Value
Target Audience Users who encrypt data with passkeys and need reliable backups
Core Feature Per‑file key generation, multi‑passkey encryption of keys, easy decryption with any stored passkey
Tech Stack Rust, age library, CLI, optional lightweight GUI
Difficulty Medium
Monetization Hobby

Notes

  • “dansjots” proposes a similar approach; “johncolanduoni” and “peterspath” echo the need for redundant passkeys.
  • BackupPass implements this idea, directly addressing the risk of losing encrypted data when a passkey is deleted or lost.

PasskeyEncryptor

Summary

  • PWA/desktop app that encrypts files using passkeys, allowing users to select which passkey to use per file, with offline operation and a simple UI.
  • Core value proposition: gives users granular control over file encryption, avoids data loss when passkeys are lost, and improves usability over generic password managers.

Details

Key Value
Target Audience Users who want to encrypt files with passkeys (e.g., developers, privacy advocates)
Core Feature File encryption/decryption, per‑file passkey selection, local encrypted backup, offline mode
Tech Stack Electron or PWA, TypeScript, WebCrypto, WebAuthn
Difficulty Medium
Monetization Hobby

Notes

  • “dansjots” already built a PWA example; “arjie” and “mgrandl” highlight confusion around passkey usage.
  • PasskeyEncryptor provides a clear, user‑friendly workflow that mitigates those pain points.

Read Later