Hacker News new | ask | show | jobs
by Ajedi32 1503 days ago
WebAuthn is way better than (for example) OAuth in this regard, since the identity provider doesn't actually hold your private key; but I agree there are still potential concerns about vendor lock-in.

Ideally there will be third-party credential databases (just like with password managers), and a way to export your keystore and import it into another provider. That would solve this problem.
1 comments
Zamicol 1503 days ago
Why is there a need for a third party at all?
link
Ajedi32 1502 days ago
If you don't want your identity to be tied to one specific device, then you need somewhere to store your keystore that isn't on that device.

Technically you don't need a third or even a first party for that; you could self-host. In practice though, the overwhelming majority of users will be using some sort of cloud storage service. A third party service in this case is likely better than first party since I don't want to lose my credentials if I decide to use a different OS or browser, and browser/OS vendors haven't been great on cross-platform compatibility for credential storage thus far.

link