undefined | Better HN

0 pointsgrowse9mo ago0 comments

What makes you think that the Webauthn standards are "targeted at running services for the general public"?

> It seems like the requirements already diverged.

No, the requirements are _contextual_. This isn't a new idea.

0 comments

The fact that sites targeted at the general public are prompting me to use them. Should websites avoid using passkeys and webauthn? Would you like to tell them that they're doing it wrong?

growseOP9mo ago

I missed a word out from my question. Let me try again.

What makes you think that the Webauthn standards are _only_ "targeted at running services for the general public"?

ori_b9mo ago

Yeah, so if you want me to trust them, the harmful parts need to get removed from specs used in public contexts.

I would love to use public key cryptography to authenticate with websites, but enabling remote attestation is unacceptable. And pinky swears that attestation won't be used aren't good enough. I've seen enough promises broken. It needs to be systematic, by spec.

Passwords suck. It's depressing that otherwise good alternatives carry poisonous baggage.

If you make something possible, it will be used.

1 more reply

j / k navigate · click thread line to collapse

0 comments

ori_b9mo ago

The fact that sites targeted at the general public are prompting me to use them. Should websites avoid using passkeys and webauthn? Would you like to tell them that they're doing it wrong?

growseOP9mo ago

I missed a word out from my question. Let me try again.

What makes you think that the Webauthn standards are _only_ "targeted at running services for the general public"?

ori_b9mo ago

Yeah, so if you want me to trust them, the harmful parts need to get removed from specs used in public contexts.

Passwords suck. It's depressing that otherwise good alternatives carry poisonous baggage.

If you make something possible, it will be used.

1 more reply

j / k navigate · click thread line to collapse