| ▲ | __MatrixMan__ 8 days ago | |
OK, so suppose you and I were bad guys. You work on the code that interfaces with the TPM on a windows device, and I work at an insurance provider and write code that authenticates users. Suppose we hatch a conspiracy to take our users out of the "consumer synced passkey system". And into one where you can use the authentication ritual as a channel where you can pass me unique bits re: this user such that we can later compare notes about their behavior. What about passkeys prevents us from doing this? How do we get caught, and by whom? | ||
| ▲ | timmyc123 7 days ago | parent [-] | |
I'd say: 1) That would be a whole lot of work, collusion, etc for a very limited scope and outcome, which makes it incredibly unlikely to happen in practice. 2) If a credential manager decides to do shady things that you don't like, you can change your credential manager. That's the beauty of an open ecosystem. 3) There are much easier ways to track users online...(unfortunately) | ||