←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 2 comments | 15 Oct 24 12:18 UTC | HN request time: 0.392s | source
1. varjolintu ◴[17 Oct 24 14:16 UTC] No.41869897[source]
The worst thing about passkeys is how browser extensions must handle them: using JavaScript injections to the web page. Of course this means _any_ browser extension could do the same and be the man-in-the-middle inspecting the passkey creation and authentication. I'd be glad to have some kind of standard API behind a proper permission for handling passkeys.
replies(1): >>41869947 #
2. taeric ◴[17 Oct 24 14:22 UTC] No.41869947[source]
The only thing that they should be able to intercept there, though, would be the specific passkey for the page you are authenticating with. With the specific challenge that was included, even. Such that it is not exportable to somewhere else for them to authenticate as you.

Sure, it sucks that anything is interceptable. But this is still an improvement over the status quo.