Comment by madduci
1 day ago
For this reason I am avoiding it like a plague. It is an additional way to fingerprint your activity and the scenarios where you migrate your passkeys from a device to another seems not really well "oiled"
1 day ago
For this reason I am avoiding it like a plague. It is an additional way to fingerprint your activity and the scenarios where you migrate your passkeys from a device to another seems not really well "oiled"
How can passkeys be used to fingerprint you? The WebAuthN extension goes to pretty great lengths to avoid fingerprinting.
Don't they get associated to a particular device?
Yes, but they're used, by design, to authenticate you.
Even revealing the fact that a given passkey exists on your device requires your active confirmation according to the spec, so unless you actually want to authenticate and click the corresponding button, the site learns nothing about you (other than that your browser theoretically supports WebAuthN, which most do these days, so that's significantly less than one bit of fingerprinting data on you).
In other words, you can't be fingerprinted by WebAuthN, unless there's a (pretty severe) bug in an implementation.
No, they can be synced.
1 reply →