zlacker

[parent] [thread] 2 comments
1. eadmun+(OP)[view] [source] 2024-12-27 13:15:53
By enabling relying parties to blacklist or whitelist the devices their users are allowed to use.

It’s one more brick in the wall preventing general-purpose computing. Want to authenticate to Banana Computers? Well, you have to use one of their oDevices, because they will not let you use a RoboPhone to store your passkeys.

replies(2): >>lxgr+Ma >>growse+ec1
2. lxgr+Ma[view] [source] 2024-12-27 14:51:52
>>eadmun+(OP)
You seem to be thinking of attestation, which is not a thing anymore with at least Apple's and Google's implementation. (They both had it for their non-synchronizing device-bound authenticators, but have heavily or even entirely rolled that back in favor of passkeys.)

And since any solution excluding either of these is a non-starter, ironically the passkey push has made WebAuthN more open when it comes to client choice.

So while I agree that Apple and Google not allowing passkey exports (yet; I am cautiously optimistic that they'll eventually be pushed to offer that too) runs the risk of locking in non-sophisticated users, the future is looking very bright for everybody posting here at least.

3. growse+ec1[view] [source] 2024-12-27 21:55:42
>>eadmun+(OP)
Yeah, you're missing the point of why attestation is in the spec in the first place.

Show me a widely available service that filters authenticators based on attestation attributes?

[go to top]