How do passkeys make users identifiable beyond being a random token? I recall FIDO shared hardware key serial numbers with websites, but at least on Firefox, it prompts you to deny it.

▲

zwnow 2 days ago | parent [-]

In that case one could argue emails dont make users identifiable either, if the addresses dont contain any meaningful names

▲

pona-a a day ago | parent [-]

A passkey is always one per site. Emails tend to be naturally reused, unless the visitor uses a paid aliasing service (plus trick is trivial to canonize, having a dozen mailboxes on a self-hosted email still associates them with each other, because there's no anonymity set to speak of, and major email providers like Gmail won't let you register an account today without a phone number, credit card, or passport).

	▲	zwnow a day ago \| parent [-]
		And yet your passkey and therefore app access is tied to a singular key connecting that with all the user info.