[hedora]

Assuming the Apple side of the API doesn't prompt the user before setting a passkey, sites will inevitably start using passkeys as tracking cookie replacements.

I can't believe they'd be that shortsighted when designing up the APIs for this.

[sakjur]

That’s an interesting aspect. I’m not sure that’d be practical, but I’m not sufficiently read up on passkeys to say for sure. I don’t think passkeys are passed automatically and I really hope they’re not available via CORS? That should limit the utility of passkeys as tracking cookies. I also believe it informs the user when it’s used, based on the demo.

And if that’s an attempt at circumventing the EU ePrivacy directive (“the cookie law”) it’s unlikely to work based on my reading (IANAL) of the paragraph in question:

> Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...

[TheNewsIsHere]

The idea of using passkeys as a tracking mechanism is intellectually interesting but I am dubious that it's technically feasible with the current design.

Passkeys, be they platform or roaming authenticators, are generally bound to a public key and/or a public key + domain name. My understanding of the design is that the specification doesn't contemplate the idea of passing around passkeys via CORS or similar mechanisms. Part of the security design rests on mutual authentication by means of asymmetric cryptography.

As long as passkeys require user interaction there is a lot of friction to attempting that. And even if you could get over that hurdle, you still have all manner of other browser based hurdles.

What you could do is bind a passkey authenticated user to some kind of session/cookie tracking, but ITP/per-domain cookie restrictions would still block that.