| ▲ | growse 8 days ago | |
> if it would never work, why not drop support? Because passkeys are designed to replace passwords across multiple different service contexts, that have different requirements. Just because there's no reason to use it for one use case doesn't mean it's not actually useful in a different one. See things like FIPS140 (which everyone ignores unless they're legally required not to). Can you sketch out for me the benefit of a public-facing service deciding to require passkey attestation? What's the thought process? Why would they decide to wake up and say "I know, I'm going to require that all of my users authenticate just with a Yubikeys and nothing else"? | ||
| ▲ | ori_b 8 days ago | parent [-] | |
> Can you sketch out for me the benefit of a public-facing service deciding to require passkey attestation? What's the thought process? A misguided administrator is very likely to think "They can't use a malicious device to access our service". What's the benefit for a private service? | ||