I can see why Apple might be reluctant to open this technology up to third parties, it would be a nightmare to keep it secure.

▲

supermatt 18 hours ago | parent [-]

Why should that be apples decision to make? There are many software vendors with much better security track records than apple.

▲

tpmoney 18 hours ago | parent [-]

Because Apple’s reputation (and customer trust in the ecosystem) depends on their security posture, and the less headlines that involve 3rd party applications on your computer being able to read the iPhone clipboard while the phone remains locked the better?

Also because people should have the choice to buy a device from a vendor that is locked down if that is what they want.

▲

supermatt 17 hours ago | parent | next [-]

Then they should enable interoperability. Either provide a secure platform that others can access, or let third parties offer their own. The whole point of passkeys is to handle remote authentication and authorisation securely - and is effectively what Apple are already doing under the hood.

This whole "we can only trust Apple" argument is outdated given modern security standards like FIDO2/WebAuthn and passkeys

▲

_aavaa_ 18 hours ago | parent | prev [-]

Nothing about providing the API for this requires that your phone automatically accept such requests.

They can change it so that all first requests require confirmation with password.

	▲	tpmoney 17 hours ago \| parent [-]
		And you can secure your HTTP server and SSH server with credentials too, but if your wanting a secure internal service it’s also probably a good idea to put a firewall in place and only allow access from authorized endpoints. Security isn’t a binary thing. It comes in layers and “no publicly accessible API” is (or at least can be) more secure than “public API”.