IdeaWell

Project ideas from Hacker News discussions.

Things I learnt about passkeys when building passkeybot

Original Article

Hacker News Discussion

πŸ“ Discussion Summary (Click to expand)

1. Criticism of LLM-based Quickstart for Security Code

Users criticized passkeybot's guide for delegating auth implementation to LLMs, preferring manual docs. "I’m not going to delegate a security-critical task to an LLM" (loloquwowndueo). "It's absolutely hilarious that someone would think that this passes for API docs" (gear54rus). Author clarified it's for code translation with review: "The LLM is only for converting the JS based example code into your language X" (emadda).

2. Vendor Lock-in via Attestation and Client Blacklisting

Debate raged over passkeys enabling Big Tech lock-in by blacklisting exportable clients like Bitwarden/KeePassXC. "The passkey spec authors think websites should be able to ban clients which allow users to manage their own data" (coldpie). "If enough RPs ban clients that let users manage their own data... it is effectively required" (coldpie). Defenders noted spec intent: "The point of passkeys is that they're unexportable" (jeroenhd).

3. Usability and Recovery Issues Across Devices

Passkeys frustrate with multi-device sync, orphaned keys, and poor fallbacks. "Lose your phone and laptop... you are locked out" (spockz). "If I lose the device that has all my passkeys, I wouldn't be able to login into my emails either" (literallywho). "Every login was... fails -> try again... two unnecessary clicks" (godelski). Edge cases like single-passkey limits persist (IgorPartola).

πŸš€ Project Ideas

Passkey Integration Code Generator

Summary

  • A web-based tool that generates secure, reviewed boilerplate code for passkey server handlers (e.g., webhooks) in various languages and frameworks, based on user inputs like framework and auth flow.
  • Solves frustration with LLM-dependent quickstarts for security-critical auth; provides "real instructions" with copy-paste code, diagrams, and tests.

Details

Key Value
Target Audience Web developers integrating passkeys into apps
Core Feature Select language/framework, generate HTTP handlers, sequence diagrams, and unit tests from passkeybot-style specs
Tech Stack React/Vue frontend, Node.js backend, WebAssembly for code templating (e.g., Handlebars), GitHub repo export
Difficulty Medium
Monetization Hobby

Notes

  • HN users hate "feed this example into a good LLM" for auth: "I’m not going to delegate a security-critical task to an LLM... give me real instructions" (loloquwowndueo); "hilarious that someone would think that this passes for API docs" (gear54rus).
  • High utility for "lessons learned" posts; sparks discussions on best practices.

OpenPasskey Vault

Summary

  • Self-hosted password manager focused on passkeys with full export/import of private keys in a standard encrypted format, multi-device sync via your server, and cross-platform support (Linux/Mac/Windows/Android).
  • Addresses lock-in, device loss, and orphaned keys: "Lose your phone... locked out"; enables backups without big tech.

Details

Key Value
Target Audience Privacy-focused users/devs avoiding Apple/Google/Microsoft sync
Core Feature Passkey creation/storage/export (FIDO-compliant), QR/BT cross-device transfer, orphaned key cleanup API
Tech Stack Rust (for secure enclave sim), Tauri (cross-platform desktop), SQLite/WebDAV sync
Difficulty High
Monetization Revenue-ready: Donations + premium sync server

Notes

  • Tackles "vendor lock-in" fears: "stuck in corporate ecosystems... must have option to back up" (wkat4242); "if I lose the device... unpersoned" (immibis); HN loves self-hosted like Pocket ID.
  • Practical for multi-OS users: "How do I login from Linux if only iCloud?" (godelski); fosters FOSS attestation debates.

Passkey Provider Prioritizer Extension

Summary

  • Browser extension that intercepts passkey prompts, lists all available providers (native, extensions, hardware), sets user-defined defaults/priorities, and handles multi-passkey enrollment per site.
  • Fixes UX friction: confusing defaults, extra clicks, ecosystem biasβ€”"browsers keep defaulting to cloud accounts" (jeroenhd).

Details

Key Value
Target Audience Multi-device users with 3rd-party managers (Bitwarden, 1Password, YubiKey)
Core Feature Custom provider ranking UI on prompt, auto-select, bulk enroll multiple keys, fallback reminders
Tech Stack WebExtensions API (Firefox/Chrome), Native Messaging for OS integration
Difficulty Medium
Monetization Hobby

Notes

  • Directly solves "provider management is horrendous... extra clicks" (jogu, godelski): "Apple wants iCloud... behind 'Choose another method'" (jeroenhd).
  • HN would adopt instantly for daily friction; potential for viral sharing in passkey threads.

Read Later