|
|
|
|
|
|
by stavros
1107 days ago
|
|
|
> If the passkey is truly secure, you don’t get your key bak if you lose the passkey. If you make a copy of the passkey, the passkey purists will say it’s not “secure”. That's an uncharitable interpretation. A more charitable way to say this is: You can choose between secure/uncloneable and less secure but more flexible. Passkeys let you make the choice and don't dictate it for you. Choose whatever better suits your use case. EDIT: I've written a short post to clarify a few misconceptions: https://www.stavros.io/posts/clearing-up-some-passkeys-misco... |
|
|
If it's the user, how do I as a user choose right now?
If it's the service implementing passkeys, why wouldn't they force a solution that's easier for them (less testing/less support/less maintenance, by forcing attestation to a specific list of providers), instead of letting users have an option?
Passkeys are an awesome solution to a difficult problem. But they are one bitflip away from eliminating user choice. Fix that problem, and I think folks here will jump on it in a hearbeat.