undefined | Better HN

0 pointsbriHass2y ago0 comments

Yep. The end game of this is that web applications will, either through laziness or a sense of 'better security', only accept passkeys attested by Google/Apple/MS and/or those backed by TPM with non-exportable keys. You have to register with the FIDO Alliance to obtain an attestation GUID, and unsurprisingly, only the big guys are on the list: https://github.com/passkeydeveloper/passkey-authenticator-aa...

This move by Bitwarden clearly shows that they believe products that allow you to export/backup your keys will be blackballed, so they played it safe and blocked that.

0 comments

lxgr2y ago

My government's e-signing web application (which stores private keys on the vendor's servers for all citizens, but that's another story) already does that.

It used to not even accept Yubikeys, only a fairly unknown other brand; now they finally do support Yubikeys, but only the "FIDO L2" certified kind, i.e. the FIDO and "security key" models, but not the most common plain Yubikey ones...

camkego2y ago

The repo README for the link you provided says "This is a community-driven list of known passkey provider AAGUIDs to assist with naming passkeys in end user passkey management interfaces (e.g. account settings)."

It also says: "It is not intended to be used for any other purpose and could go away at any time."

Finally it looks like anyone can contribute attached to an implementation according to the Readme

pests2y ago

It does say it will come in a future version now. The FAQ has been edited since the comment with the original quote.

j / k navigate · click thread line to collapse