Remix.run Logo
timmyc123 8 days ago

Just because an API or protocol has a certain capability, does not mean it is implemented for all use cases.

Folks seem to be hung up on the term "attestation" being in the response of a create call. If you look inside that object, there is another carve out for optional authenticator attestation, which is not used for consumer use cases.

I will keep repeating what I've said in the other comments. There is no credential manager attestation in the consumer synced passkey ecosystem. Period.

__MatrixMan__ 8 days ago | parent [-]

OK, so suppose you and I were bad guys. You work on the code that interfaces with the TPM on a windows device, and I work at an insurance provider and write code that authenticates users.

Suppose we hatch a conspiracy to take our users out of the "consumer synced passkey system". And into one where you can use the authentication ritual as a channel where you can pass me unique bits re: this user such that we can later compare notes about their behavior.

What about passkeys prevents us from doing this? How do we get caught, and by whom?

timmyc123 7 days ago | parent [-]

I'd say:

1) That would be a whole lot of work, collusion, etc for a very limited scope and outcome, which makes it incredibly unlikely to happen in practice. 2) If a credential manager decides to do shady things that you don't like, you can change your credential manager. That's the beauty of an open ecosystem. 3) There are much easier ways to track users online...(unfortunately)