zlacker

[parent] [thread] 4 comments
1. reddal+(OP)[view] [source] 2024-12-27 10:48:16
100% agree. Passwords + OTPs are the best solution, IMO. No big tech can control this, and it's easy to keep a grasp on all the credentials we have.

WebAuthn? No, thanks.

replies(1): >>former+54
2. former+54[view] [source] 2024-12-27 12:05:30
>>reddal+(OP)
How does big tech exert control over your usage of WebAuthn?
replies(1): >>eadmun+W8
◧◩
3. eadmun+W8[view] [source] [discussion] 2024-12-27 13:15:53
>>former+54
By enabling relying parties to blacklist or whitelist the devices their users are allowed to use.

It’s one more brick in the wall preventing general-purpose computing. Want to authenticate to Banana Computers? Well, you have to use one of their oDevices, because they will not let you use a RoboPhone to store your passkeys.

replies(2): >>lxgr+Ij >>growse+al1
◧◩◪
4. lxgr+Ij[view] [source] [discussion] 2024-12-27 14:51:52
>>eadmun+W8
You seem to be thinking of attestation, which is not a thing anymore with at least Apple's and Google's implementation. (They both had it for their non-synchronizing device-bound authenticators, but have heavily or even entirely rolled that back in favor of passkeys.)

And since any solution excluding either of these is a non-starter, ironically the passkey push has made WebAuthN more open when it comes to client choice.

So while I agree that Apple and Google not allowing passkey exports (yet; I am cautiously optimistic that they'll eventually be pushed to offer that too) runs the risk of locking in non-sophisticated users, the future is looking very bright for everybody posting here at least.

◧◩◪
5. growse+al1[view] [source] [discussion] 2024-12-27 21:55:42
>>eadmun+W8
Yeah, you're missing the point of why attestation is in the spec in the first place.

Show me a widely available service that filters authenticators based on attestation attributes?

[go to top]