undefined | Better HN

0 pointsanonymars9mo ago0 comments

I'm not familiar with this issue and a quick search didn't turn up anything obvious. Would you mind elaborating?

0 comments

They are referring to the ability of a site you are logging into forcing you to use a client from a specific list or having a list of clients to deny.

It's copied over from FIDO hardware keys where each device type needed to be identifiable so higher tier ones could be required or unsecured development versions could be blocked.

jjani9mo ago

This is what I was referring to, and we already have seen this happen in the wild with PayPal at one point (possibly still) blocking passkeys from e.g. Firefox. For now the argument against this seems to be that "Apple zeroes this out so service providers can't do it without risking issues for their many users who use Apple to store their keys", but clearly this is so precarious of a situation it may as well not be a thing. You can't depend on one trillion-dollar company not changing their minds on that tomorrow.

reginald789mo ago

Even with the current flimsy "What about iPhones?" defense against attestation, is there anything stopping say Microsoft from just forcing you to install a different app to use Microsoft services?

bux939mo ago

It's like DRM: it will annoy legitimate users and keep them from obviously legit usecases, and be circumvented by people who are motivated.

anonymarsOP9mo ago

Thanks, yes, I see this just came up in a similar comment thread (https://news.ycombinator.com/item?id=44823752)

What a crock, to not bother coming up with a way to make passkeys portable and then threaten to ban providers who actually thought about how humans might use them in the real world

pandorobo9mo ago

Specifically they are referring to synced passkeys (passkeys generated by services like Google password manager/1Password/Apple and are linked to that account).

Because these passkeys are stored in the Cloud and synced to your providers account (i.e. Google/Apple/1Password etc), they can't support attestation. It leads to a scenario where Relying Parties (the apps consuming the passkey), cannot react to incidents in passkey providers.

For example: If tomorrow, 1Password was breached and all their cloud-stored passkeys were leaked, RP's have no way to identify and revoke the passkeys associated with that leak. Additionally, if a passkey provider turns out to be malicious, there is no way to block them.

j / k navigate · click thread line to collapse