[unethical_ban]

I'm inebriated and curious, allow me to ask the laymans' question:

Is this just public/private keys with apple managing the keys and the security of the keys via their auth stack?

[treve]

It's an open standard and supported by most major browsers. But yes there is currently a vendor lock-in, regardless of which vendor you start with.

[Atotalnoob]

Essentially, yes.

[mlhpdx]

So why isn’t it just mTLS?

[mlhpdx]

To be clear, what I meant is starting with mTLS and asking “how would that work?” leads in the direction of Passkeys. With mTLS there are client and server certs and keys to establish unambiguous identity, but how do they get on the personal device for the client? Old-school enrollment was hard, and autogenerating the client key and cert for each website is easy. But there needs to be a way to tell the website “this is a new user” and the like — a protocol. And, since the keys are credentials there needs to be protection for them (Keychain, biometrics).