top | item 37648041

(no title)

yomlica8 | 2 years ago

> I personally feel safer that passkeys aren't sync'd across multiple vendors' products.

Last time I checked into these hardware attestation was part of the specification but the ability export them from a vendors platforms is not. In practice that will mean unapproved platforms can be shut out and walled gardens strengthened. Which will happen sooner or later because it can. Apple supposedly zeroes their attestation but that is only a partial mitigation and relies upon the values of a giant corporation not changing its mind for any host of business reasons. And it does nothing to stop other platforms.

discuss

aseipp|2 years ago

FIDO itself specifies that attestation can be used but it's extremely likely browsers aren't going to ever support it for the same reason Apple has publicly said they won't: because attestation is a misfeature for Passkeys, because it completely eliminates the (very important and large) ability to synchronize Passkeys across devices using third party apps or built in browser mechanisms. Having to manually re-enroll every device is like a step backwards 10 years into the past from a usability POV. Device-attestation for passkeys was always 100% DOA for this reason, because without it, they can't form a suitable password replacement in the existing ecosystem, where synchronization is basically expected.

yomlica8|2 years ago

Bizarre they would make room in the specification for a DOA misfeature no one is going to use and everyone hates. Why not remove it from the spec and place the requirement of synchronization support into the spec instead?

kstrauser|2 years ago

I don't know that I've encountered a service that allows exactly one passkey. Everything I've tried either doesn't support passkeys at all, or supports multiple. In the latter case, add an iOS/Android passkey and something separate like a YubiKey. If one gets lost or you stop using it, the other still works.