top | item 40180153

(no title)

scient | 1 year ago

The whole original point of what underpins FIDO2 was device locked, unphishable credentials. Wanting to export and move passkeys between devices is kind of counter to that. And I would argue vendors completing the attestation process are much more trustworthy than storing your own keys god knows where.

discuss

recursive|1 year ago

Oh, ok. If that's the same thing as passkeys, then I finally figured out that I'm not interested. To me it looks like another vector for platform lock-in, or getting mysteriously locked out of my accounts with no recourse. I'll wait for FIDO3.

Groxx|1 year ago

Yep. I absolutely refuse to support anything that wants to dictate what I do with my identity.

Such things do have purposes, in high-stakes environments. They prevent accidents. The vast majority of uses on the public web are not even remotely in that realm. It'd be better off being a separate spec that only a handful of internal-only systems use, ideally requiring MDM to set up conveniently (to strongly discourage normal and even high-stakes-normal website usage).

My banking website has absolutely no business knowing and being able to approve or deny what brand my authenticator is.