Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
anonymars 9 days ago

I'm not familiar with this issue and a quick search didn't turn up anything obvious. Would you mind elaborating?

Arrowmaster 9 days ago | parent | next [-]

They are referring to the ability of a site you are logging into forcing you to use a client from a specific list or having a list of clients to deny.

It's copied over from FIDO hardware keys where each device type needed to be identifiable so higher tier ones could be required or unsecured development versions could be blocked.

jjani 9 days ago | parent | next [-]

This is what I was referring to, and we already have seen this happen in the wild with PayPal at one point (possibly still) blocking passkeys from e.g. Firefox. For now the argument against this seems to be that "Apple zeroes this out so service providers can't do it without risking issues for their many users who use Apple to store their keys", but clearly this is so precarious of a situation it may as well not be a thing. You can't depend on one trillion-dollar company not changing their minds on that tomorrow.

reginald78 9 days ago | parent [-]

Even with the current flimsy "What about iPhones?" defense against attestation, is there anything stopping say Microsoft from just forcing you to install a different app to use Microsoft services?

bux93 9 days ago | parent | prev [-]

It's like DRM: it will annoy legitimate users and keep them from obviously legit usecases, and be circumvented by people who are motivated.

anonymars 9 days ago | parent [-]

Thanks, yes, I see this just came up in a similar comment thread (https://news.ycombinator.com/item?id=44823752)

What a crock, to not bother coming up with a way to make passkeys portable and then threaten to ban providers who actually thought about how humans might use them in the real world

pandorobo 9 days ago | parent | prev [-]

Specifically they are referring to synced passkeys (passkeys generated by services like Google password manager/1Password/Apple and are linked to that account).

Because these passkeys are stored in the Cloud and synced to your providers account (i.e. Google/Apple/1Password etc), they can't support attestation. It leads to a scenario where Relying Parties (the apps consuming the passkey), cannot react to incidents in passkey providers.

For example: If tomorrow, 1Password was breached and all their cloud-stored passkeys were leaked, RP's have no way to identify and revoke the passkeys associated with that leak. Additionally, if a passkey provider turns out to be malicious, there is no way to block them.