[WorldMaker]

> True, but it’s still some protection: auto-fill won’t work on a different domain so phishing is harder. However, note that many legit sites, even payment gateways etc, use multiple strange-looking domains sometimes. This is beyond irresponsible imo, and the clear fault of the service provider.

Which is why the Passkeys spec clearly spells out this responsibility to the service providers and breaks if they get it wrong, truly making it their problem to solve. (It's the direct source of most of the complications described in the linked article's section #13, and indirectly mentioned in other sections.) Passkeys are domain specific and only domain specific and browsers do and will enforce that. It does what auto-fill can't and if a service provider uses multiple domains and gets things wrong, they are broken and have a service outage on their hands to fix, rather than "maybe they temporarily changed domains" still being a phishing vector for those relying on auto-fill as an anti-phishing deterrent (that still catches people that should know better because too many well known services are unreliable about temporarily jumping domains or just plain using way too many domains due to internal silos that shouldn't be so visible externally [cries in Azure]).

[klabb3]

Thanks for clarifying. And I agree with you. Users doing manual domain matching by gut feeling and glancing on the critical path was not a great idea, but made even worse by jittery companies who confused DNS with their org chart. So in that sense passkeys are superior, even to (traditional) pw managers. I’d be the first to cheer for a great passkey integration in my pw-manager of choice.

What I worry about is that companies will (yet again) grossly misuse improved auth technology to make the combined auth flows an even bigger shit mound than it already is, both for users and the poor souls who have to implement them. I don’t know exactly how, but I’m sure they’ll find a way.