• mystik@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 months ago

    Passkeys are great, and generally a plus for security; but (a) all the most popular implementations have not implemented key export and transfer to alternate implementations (b) It includes an implementation ID + hardware attestation feature which can be used to disable ‘unapproved’ implementations by key consumers. Considering the most common device with a ‘secure’ environment, and can implement this are your cell phones, and they are made by Apple + Google, this effectively locks your identity to either of these platforms. © All the public signals smell and look like the providers (apple, google, Microsoft) are doing everything they can to implement the features to make lock in all but inevitable, including mandating that implementations user-hostile features, or risk being rejected by sites.

    It’s a great idea, and it could be awesome, but things are not being addressed. Or being handwaved as “we can address them later”. This recent discussion from last month (both the discussion in the linked github issue, and in the HN thread both including some key players in the PassKey system) is pretty telling: https://news.ycombinator.com/item?id=39698502

    • asudox@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      7 months ago

      I remember reading the W3C or FIDO Alliance docs for passkeys and they talked about the exportability of them. I think they said that they shouldn’t be exportable.