|
|
|
|
|
|
by lxgr
406 days ago
|
|
|
This is largely a problem because the specification does not cleanly call these out as two completely different feature sets, e.g. via "profiles" or a similar mechanism. Effectively implementations already do that, and the spec could clear things up a lot by clearly defining one profile for synchronizing, non-attestation-capable, discoverable credentials called "passkeys", and another for hardware-backed, non-exportable, attestation-supporting ones called something else. |
|
|
This technically is true because Passkeys are just a subset of WebAuth.