undefined | Better HN

0 points__MatrixMan__10mo ago0 comments

Passkeys will be the way to go if we get them to remove the "attestation object" field from the protocol. Until then there's no way for Jimbob to tell the difference between:

> Website: is this Jimbob' phone

> Hardware: yes

And

> Website: I'll give you a dollar if you tell me something juicy about this user

> Hardware: Give this token to Microsoft and ask them

> Microsoft: Jimbob is most likely to click ads involving fancy cheeses, is sympathetic to LGBTQ causes, and attended a protest last week

With passwords and TOTP codes, I am in control of what information is exchanged. Passkeys create a channel that I can't control and which will be used against me.

(I chose Microsoft here because in a few months they're using the windows 10->11 transition to force people into hardware that locks the user out of this conversation, though surely others will also be using passkeys for similarly shady things).

0 comments

1 comments · 1 top-level

timmyc12310mo ago

> Passkeys will be the way to go if we get them to remove the "attestation object" field from the protocol.

I don't think you understand the protocol. The attestation object does not mean there is an authenticator attestation.

There is no authenticator / credential manager attestation in the consumer synced passkey ecosystem. Period.

1 more reply

j / k navigate · click thread line to collapse