undefined | Better HN

0 pointsjorams10mo ago0 comments

They paraphrased what you said in the thread, but I don't think it's much of a misrepresentation.

You may have "been one of the most vocal proponents of synced passkeys never being attested to ensure users can use the credential manager of their choice", but as soon as one such credential manager allows export that becomes "something that I have previously rallied against but rethinking as of late because of these situations".

There may not currently be attestation in the consumer synced passkey ecosystem, but in the issue thread you say "you risk having KeePassXC blocked by relying parties".

The fact that that possibility exists, and that the feature of allowing passkeys to be exported is enough to bring it up, is a huge problem. Especially if it's coming from "one of the most vocal proponents of synced passkeys never being attested", because that says a lot about whoever else is involved in protocol development.

0 comments

3 comments · 1 top-level

timmyc12310mo ago· 2 in thread

You should really re-read the entire discussion. It wasn't about passkeys being able to be exported. It was specifically about clear text export.

> The fact that that possibility exists,

The possibility does not exist in the consumer synced passkey ecosystem. The post is from a year and a half ago.

lelandbatey10mo ago

A year and a half ago doesn't really matter; that this was ever even a concern from the industry, something that the industry could make happen at all, or even just was thinking about doing at some point in the past, poisons the entire effort. In a world where password+totp already exists and requires almost no hoops, no dependencies and is incredibly secure vs basic password flows, it's no wonder that folks remember discussions around curtailing user freedom around a new authentication pattern which already was less convenient, offers less user control, and further centralizes infrastructure in the hands of a few major brokers of technological power.

Until we have full E2E passkey implementations that are completely untethered from the major players, where you can do passkey auth with 3 raspberry pi's networked together and no broader internet connection, the security minded folks who have to adopt this stuff are going to remember when someone in the industry publicly said "if you don't use a YubiKey/iPhone/Android and connect to the internet, ~someone~ might ban you from using your authenticator of choice."

timmyc12310mo ago

> Until we have full E2E passkey implementations that are completely untethered from the major players, where you can do passkey auth with 3 raspberry pi's networked together and no broader internet connection

This is already possible today. And since it's a completely open ecosystem, you can even build your own credential manager if you choose!

j / k navigate · click thread line to collapse