|
|
|
|
|
|
by cyberax
606 days ago
|
|
|
> Did they remove attestation? Attestation is still in the standard, and some vendors support it. However, Apple removed it from their Keychain-synced keys: https://x.com/rmondello/status/1545085197250482176 and this effectively means that most sites will be forced to deal with non-device-bound keys. Banks can still require device-bound keys, just like they do now. But this effectively makes it impossible to sync these keys across devices. You'll have to use the same hardware token every time, and if you lose it, then you have to re-enroll the keys on every site. |
|
|
Right. Because a non-device bound key means you are now trusting not just the device, but the management of those keys, how they are moved between devices, and what devices the manager of the keys allows them to be stored on. Some parties are going to better at that management than others. For example you might trust Google but not Bitwarden.
I gather from what you say attestation doesn't of a passkey doesn't include about information about who is managing it. If true, I can just generate my own passkeys, store them in plane text on my laptop and manage them with a home grown shell script and copy them to any device I please. Maybe someone can write a Firefox extension that does all that for me. Have it auto sync between my devices, put a long enough password on it, and I could replace Bitwarden with it.
Them being phishing resistant I guess means they are still an improvement on passwords, but my they are a major compromise on the original WebAuthn vision.