[throwawayqqq11]

Am i the only one concerned about the tendency of putting your identity on hardware you possibly do not own?

What a wet dream for the internet controlling fascists when the adoption of "just wield your smart phone" auth would be in place and mandated every where.

Nothing compares to the secrecy of passwords.

[stavros]

My identity is already on hardware I don't own, my government ID card. What do you foresee the risks being, and why are these risks only possible with secure authentication?

[throwawayqqq11]

Your government id card is not widely adopted as method of authentification, i guess. This is where this new pass key approach comes in. My concern is, that this new method might completely replace old fashioned passwords. And once every one is used to have a hardware token, the next step of only accepting or selling government approved devices is a small one. This could could ultimately make anonymity impossible. Because you dont control the hardware or the spec.

Imagine being required to have and use your govID for simply everything, because there is no alternative.

This is not a risk of secure authentification, which passwords can also provide.

$Corps loved to harvest phone numbers as a second factor despite a second fall back email address would be at least as secure as SS7 communication. But phone numbers are tied more strongly to your identity so more valuable for the data brokers.

This is the same thing actually. Tieing identity to something you have and not something you alone know. Something external.

Having a single external dependency for all your identities sounds like a good idea to you? For facists and data brokers it certainly does.

To me, this is an attack on anonymity and i know that i sound paranoid. Lets wait for the enshitening.

[jaefi]

You DON’T have to trust any company or government for passwordless authentication. Don’t want to use your phone? Use a hardware key instead. Don’t want to use a hardware key? Use an open source solution like Bitwarden (and it’s not the only one).

At this point, you’re just making shit up about something you don’t understand.

[ris]

> Don’t want to use your phone? Use a hardware key instead. Don’t want to use a hardware key? Use an open source solution like Bitwarden (and it’s not the only one).

You're ignoring the fact that WebAuthn can require attestation, which will remove device choice from the equation.

[throwawayqqq11]

You havent understood my point.

> Nothing compares to the secrecy of password.

Because they are soley internal to you.

Yes, you can generate passkeys at will ... and then you give them away to a usb dongle or HSM, from which some day you might not be able to export them, because vendors love their locked in customers.

I am talking about control and yes, my concerns are speculation but reasonable to me, when you look at pretty much all the recent development. From not-WEI over DRM, to right to repair and on and on.

[dale_glass]

What? Security keys are only "identity" in that they deliver opaque, secure numbers. The actual important bits are somewhere else anyway.

FIDO is a standard algorithm and doesn't need a phone.