undefined | Better HN

0 pointsrstuart41331y ago0 comments

> this effectively means that most sites will be forced to deal with non-device-bound keys.

Right. Because a non-device bound key means you are now trusting not just the device, but the management of those keys, how they are moved between devices, and what devices the manager of the keys allows them to be stored on. Some parties are going to better at that management than others. For example you might trust Google but not Bitwarden.

I gather from what you say attestation doesn't of a passkey doesn't include about information about who is managing it. If true, I can just generate my own passkeys, store them in plane text on my laptop and manage them with a home grown shell script and copy them to any device I please. Maybe someone can write a Firefox extension that does all that for me. Have it auto sync between my devices, put a long enough password on it, and I could replace Bitwarden with it.

Them being phishing resistant I guess means they are still an improvement on passwords, but my they are a major compromise on the original WebAuthn vision.

0 comments

cyberax1y ago

> If true, I can just generate my own passkeys, store them in plane text on my laptop and manage them with a home grown shell script and copy them to any device I please.

That is correct.

j / k navigate · click thread line to collapse

0 comments

cyberax1y ago

> If true, I can just generate my own passkeys, store them in plane text on my laptop and manage them with a home grown shell script and copy them to any device I please.

That is correct.

j / k navigate · click thread line to collapse