| ▲ | Dagonfly 5 days ago | |
Well it relates to this sentence: > You can use any credential manager you choose. Which I would be careful with. I can use any authenticator that the RP accepts. I could totally see a future where banks only allow certain authenticators (Apple/Google) and enforce this through AAGUID or even attStmt. Similar to the Google Play Protect situation. At that point, those banks/services would enforce vendor lock-in on me. The reality would be: I can use iOS or Android, but not a FOSS implementation. This restriction is not possible with old-school passwords. | ||
| ▲ | timmyc123 5 days ago | parent [-] | |
If a website were to attempt to do this, you (or your credential manager) could simply change the AAGUID to match another credential manager. | ||