zlacker

[parent] [thread] 3 comments
1. eadmun+(OP)[view] [source] 2024-12-27 13:14:09
> Webauthn and Passkeys do not necessitate handing over control to "big tech".

Attestation enables a relying party to deny users the right of using their own software or devices. That hands over control.

replies(1): >>lxgr+yb
2. lxgr+yb[view] [source] 2024-12-27 14:55:50
>>eadmun+(OP)
Apple and Google discontinued attestation when they introduced passkeys. It's gone.

There are still lots of problems with passkeys, but it's worth staying up to date if you want to contribute to that discussion.

replies(1): >>eadmun+hJ1
◧◩
3. eadmun+hJ1[view] [source] [discussion] 2024-12-28 04:06:30
>>lxgr+yb
> Apple and Google discontinued attestation when they introduced passkeys. It's gone.

It would be great if you’re correct, but these references sure seem to indicate that attestation is still a thing.

Microsoft, November 2024: https://learn.microsoft.com/en-us/entra/identity/authenticat...

Yubico: https://developers.yubico.com/Passkeys/Passkey_relying_party...

Apple: https://developer.apple.com/documentation/devicemanagement/s...

Apple: https://support.apple.com/guide/deployment/managed-device-at...

Google, September 2024: https://android-developers.googleblog.com/2024/09/attestatio...

A Tour of WebAuthn, December 2024 (aka the fine article): https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn...

replies(1): >>lxgr+kL1
◧◩◪
4. lxgr+kL1[view] [source] [discussion] 2024-12-28 04:30:35
>>eadmun+hJ1
Android exclusively supports attestation for non-discoverable/synchronized keys, i.e. not passkeys. This also matches my observation that by opting in to attestation, you're automatically opting out of discoverable credentials and vice versa. (I don't remember from the top of my head which one you get if you both require attestation and discoverable credentials.)

TIL that Apple still supports attestation for MDMed devices, but MDM means corporate/enterprise managed devices, not regular iPhones and Macs. (I also suspect that these would be non-synchronized in the same way that Google does it.)

Yubico and other "key form factor" authenticators indeed do still offer it, which is why I only mentioned Apple and Google.

So my point stands: Passkeys as implemented by Apple and Google don't support attestation. TFA also does not contradict this.

And how would they? Attestation semantically certifies that a given key will never leave secure embedded hardware; passkeys are intentionally cloud-synchronized and users can replicate them to an unlimited number of devices.

[go to top]