top | item 32958386

(no title)

Thanks for your reply. I think the issue you describe is more due to the website. A website that accepts Passkeys should provide a way to enroll a competitor. In this case it could be as simple as copying a code in one browser and pasting in the other. This isn't too bad if you consider that typing a user+password pair is also annoying though more familiar. Of course, it gets near impossible if the device is dead and the user wants to switch brands without any backup. But again, websites enrolling only one authenticator and no alternative are somewhat negligent.

I think people who evangelize Webauthn need to carefully convey the risks and remind everyone that end users need backups (multiple authenticators, backup codes...). Hopefully, down the road, it will force interoperability between big manufacturers so one authenticator can authorize another for all websites in one go (this probably requires websites to have a standard way to enroll new authenticators).

> My separate observation about a lack of support for hardware keys to be "paired" to support an off-site backup

This is worrying me more. Interoperability between tech giants is bad but the sovereign solution may never get there.

discuss

No comments yet.