| ▲ | traceroute66 9 days ago | |
> Passkeys is the way to go. My problem with passkeys is that there is no hardware attestation like there is with Yubikeys and similar. This means for security conscious applications you have no way of knowing if the passkey you are dealing with is from an emulator or the real-deal. Meanwhile with Yubikeys & Co you have that. And it means that, for example people like Microsoft can (and do) offer you the option to protect your cloudy stuff with AAGUID filtering. And similar if you're doing PIV e.g. as a basis for SSH keys, you can attest the PIV key was generated on the Yubikey. You can't do any of that with passkeys. | ||
| ▲ | timmyc123 9 days ago | parent [-] | |
> You can't do any of that with passkeys. Device-bound passkeys which are used in workforce / enterprise scenarios are typically attested. Attestation does not exist for consumer synced passkeys by design. It is an open ecosystem. | ||