←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 4 comments | 15 Oct 24 12:18 UTC | HN request time: 0.001s | source
1. tdpvb ◴[17 Oct 24 17:02 UTC] No.41871446[source]
While better in many ways, broadly speaking this could mean no more throwaway accounts?

Passkeys that require embedding on personal devices like cell phones means direct affiliation with your identity, no? Seems like a shadow benefit to industry is perfect ad targeting across the web.

replies(1): >>41871705 #
2. dustyventure ◴[17 Oct 24 17:30 UTC] No.41871705[source]
No, a site can require attestation that you are on a kind of device but it can't correlate a key you have registered with it with one you create for any other site.
replies(1): >>41872908 #
3. tdpvb ◴[17 Oct 24 19:25 UTC] No.41872908[source]
Right, but I imagine most sites will continue to use third-party authorization for passkeys, similar to Okto, Auth0, et al? They'd even be incentived to do so if it meant more granular user profiling -- all alongside third-party guarantees of "real verification", etc.
replies(1): >>41873201 #
4. dustyventure ◴[17 Oct 24 20:01 UTC] No.41873201{3}[source]
What 3rd party password/passkey manager you use is not the business of a site unlike when they list allowed single sign-on OAuth vendors.. And using the managers is an alternative to using a secure enclave correctly.

Monopolists will try to erode options and force everything on to their platform but if they didn't succeed with OAuth I don't see them being further ahead with warping the fido standards to be like it.