zlacker

[parent] [thread] 3 comments
1. former+(OP)[view] [source] 2024-12-27 12:05:30
How does big tech exert control over your usage of WebAuthn?
replies(1): >>eadmun+R4
2. eadmun+R4[view] [source] 2024-12-27 13:15:53
>>former+(OP)
By enabling relying parties to blacklist or whitelist the devices their users are allowed to use.

It’s one more brick in the wall preventing general-purpose computing. Want to authenticate to Banana Computers? Well, you have to use one of their oDevices, because they will not let you use a RoboPhone to store your passkeys.

replies(2): >>lxgr+Df >>growse+5h1
◧◩
3. lxgr+Df[view] [source] [discussion] 2024-12-27 14:51:52
>>eadmun+R4
You seem to be thinking of attestation, which is not a thing anymore with at least Apple's and Google's implementation. (They both had it for their non-synchronizing device-bound authenticators, but have heavily or even entirely rolled that back in favor of passkeys.)

And since any solution excluding either of these is a non-starter, ironically the passkey push has made WebAuthN more open when it comes to client choice.

So while I agree that Apple and Google not allowing passkey exports (yet; I am cautiously optimistic that they'll eventually be pushed to offer that too) runs the risk of locking in non-sophisticated users, the future is looking very bright for everybody posting here at least.

◧◩
4. growse+5h1[view] [source] [discussion] 2024-12-27 21:55:42
>>eadmun+R4
Yeah, you're missing the point of why attestation is in the spec in the first place.

Show me a widely available service that filters authenticators based on attestation attributes?

[go to top]