Comment by lxgr
1 day ago
How can passkeys be used to fingerprint you? The WebAuthN extension goes to pretty great lengths to avoid fingerprinting.
1 day ago
How can passkeys be used to fingerprint you? The WebAuthN extension goes to pretty great lengths to avoid fingerprinting.
Don't they get associated to a particular device?
Yes, but they're used, by design, to authenticate you.
Even revealing the fact that a given passkey exists on your device requires your active confirmation according to the spec, so unless you actually want to authenticate and click the corresponding button, the site learns nothing about you (other than that your browser theoretically supports WebAuthN, which most do these days, so that's significantly less than one bit of fingerprinting data on you).
In other words, you can't be fingerprinted by WebAuthN, unless there's a (pretty severe) bug in an implementation.
No, they can be synced.
TIL, thanks