(no title)
kingstnap | 1 day ago
> You absolutely should be preventing users from being able to copy a private key!
> Asking you to put basic protections in place and collaborate with the ecosystem/industry is hardly "anti-user-choice mentality".
> the lack of identifying passkey provider attestation (which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations).
Does this guy deflate his neighbors tires before going to work to save them from car accidents?
I cannot believe he has this ridiculous paternalistic behaviour while simultaneously having these bullet points on his personal website that he linked to.
> digital identity ● urban mobility user choice ● boston bruins
timmyc123|3 hours ago
I'm the guy you're talking about. Always easy to crap on people when you selectively quote what they said. The core pieces you left out are:
> I don't quite understand why requiring file protection/encryption can't be a temporary minimum bar here.
> or at a minimum require file protection/encryption.
If you think helping users to be safe online (which includes putting basic safeguards in place, like not leaving hundreds of unencrypted private keys on someone's desktop or downloads folder in plain text) isn't an important part of designing solutions for global scale, then we think about things very differently.
Telaneo|21 hours ago
In theory, this issue could never touch average users. It's only power users who use standalone open-source password managers. All the options normal users are funnelled into aren't going to expose passkeys in plain text (except maybe Firefox?), and thus aren't going to be phishable in any meaningful sense.
But this guy opted to tell the open-source community that having exportable passkeys is wrong, full stop, and that open-source implementations might get banned for allowing this, planting a gigantic red flag right next to the very idea of passkeys, making every single power user who sees that post (which is linked on every thread which touches on passkeys) either completely reject the idea, or approach it with extreme caution. And thus no power user will recommend it to anybody else, not to mention the general usability problems they have.
I guess if it weren't him, the same ideas would have been made clear in other ways.