▲ | timmyc123 8 days ago | |||||||
Just because an API or protocol has a certain capability, does not mean it is implemented for all use cases. Folks seem to be hung up on the term "attestation" being in the response of a create call. If you look inside that object, there is another carve out for optional authenticator attestation, which is not used for consumer use cases. I will keep repeating what I've said in the other comments. There is no credential manager attestation in the consumer synced passkey ecosystem. Period. | ||||||||
▲ | __MatrixMan__ 8 days ago | parent [-] | |||||||
OK, so suppose you and I were bad guys. You work on the code that interfaces with the TPM on a windows device, and I work at an insurance provider and write code that authenticates users. Suppose we hatch a conspiracy to take our users out of the "consumer synced passkey system". And into one where you can use the authentication ritual as a channel where you can pass me unique bits re: this user such that we can later compare notes about their behavior. What about passkeys prevents us from doing this? How do we get caught, and by whom? | ||||||||
|