top | item 47190231

(no title)

hedora | 2 days ago

100% of the arguments against using passkeys for e2ee data apply to using passkeys as credentials.

(Unless they are not credentials, and you can loose them then do a password reset via a phishing prone channel like email and SMS. Supporting this eliminates any possible user benefit of passkeys.)

In addition to the arguments in the article, when used as credentials, they are an obvious trojan horse allowing large websites to completely hijack your operating system.

Don’t believe me? Try logging into a bank or using rideshare/parking/ev charging with degoogled android. This is where passkeys are taking PCs, and it is their only purpose.

So, “Don’t use passkeys” would be a better title.

discuss

lxgr|1 day ago

> Don’t believe me? Try logging into a bank or using rideshare/parking/ev charging with degoogled android.

What does root detection and other device attestation have to do with passkeys? Passkeys (at least Google's and Apple's) don't support device attestation.

inkysigma|2 days ago

Passkeys are an open standard? You might as well argue against SSH keys.

hedora|2 days ago

The standard includes a hardware attestation path.

That’s the backdoor allowing the eventual takeover of your OS.

First people use passkeys, and they become standard.

Then they become required for important accounts for security.

Then the important accounts require the attestation bit.

At that point, you cannot run web browsers on open source operating systems.

This is all boring and predictable. It is exactly what they did with Android, and exactly the same organizations are pushing passkeys.

Note: If they had good intentions, the operating system would manage any attestation, and not allow websites to query for or require attestation support.