[knome]

I'm not sure. I remember looking at OpenId when it was announced, and the rabbit hole I ran down made me think it was built on webauthn in some fashion, as a set of providers or something.

If that's not the case, that is very unfortunate. I veered into reading the webauthn spec for a bit then and found I largely liked what I found there.

Some complexity from trying to define how to handle people lugging around shareable keys on their phones and similar in the spec, but overall I liked it. I found it all very reasonable.

[a1445c8b]

It’s not built on WebAuthn but it could work with it. WebAuthn is essentially just an alternative to typing in your password.

[knome]

>WebAuthn is essentially just an alternative to typing in your password.

I had thought it was the key confirmation used by openid and that openid was more of an industry keying system backend and push for webauthn on websites. Apparently I need to reread it.

webauthn removes all secret information on the company side, making company password database breaches a thing of the past. "Oh no, you stole a public key specific to this website that you can't even use to log into the site you stole it from because you need the private key to do that"