(fidoalliance.org)

225 points Terretta | 2 comments | 15 Oct 24 12:18 UTC | HN request time: 0.473s | source

Show context

solarkraft ◴[16 Oct 24 15:14 UTC] No.41860069[source]▶

I had hope for passkeys, with all the interop-promises.

It turned out that no (mainstream) passkey provider allows backups however, making them infinitely worse than just using passwords.

Maybe this will help, but fuck me, it’s all complicated, especially for a damn foundational security mechanism!

It could be so simple, just look at SSH keys, which I think largely use the same principle.

replies(5): >>41860481 #>>41863668 #>>41864115 #>>41864718 #>>41866900 #

1. gre345t34 ◴[17 Oct 24 06:17 UTC] No.41866900[source]▶

>>41860069 #

To be fair, the webauthn spec expressly forbids facilitating the extraction of credentials from the authenticator (though arguably even syncing between devices violates the spec).

replies(1): >>41867688 #

2. lxgr ◴[17 Oct 24 08:57 UTC] No.41867688[source]▶

>>41866900 (TP) #

If the vast majority of implementers (by users) are not compliant with a spec, that arguably says something about the spec as well.

↑

FIDO Alliance publishes new spec to let users move passkeys across providers