Comment by nerdsniper
17 hours ago
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
My desktop doesn't have Bluetooth. Does this mean I'd be doomed even if I had a compatible mobile device?
I also disable Bluetooth on my phone every few months (and never enable it)... or at least after every CCC or such.
We might need to redo this whole Internet thing because this is insanity.
Maybe it’s time to get in to Ham radio or some other hobby
Yes. The technical name for this FIDO2 QR code flow is caBLE (Cloud Assisted Bluetooth Low Energy).
In a free market, the content provider is free to put whatever guardrails they feel appropriate. Loginwall, Paywall, CaptchaWall.
If you don't like that provider, you are free to pick another.
I'm not 'free' to pick another government site. There is only one.
1. Free markets do not exist
2. If free markets did exist they would not conform to the theory that people are using when they think of what free markets are, since people do behave rationally, power dynamics are real, and no consumer can have all of the information needed to make rational decisions even if that information were available
3. The market is providing solutions to its own failures without fixing the underlying failures because it is more profitable this way. Is buying something from a company that mitigates a problem created by the same company actually a free market, or is it just extraction?
CTAP2 requires Bluetooth but I'm not seeing any mention of that protocol here? It wouldn't really solve the "are you a human" thing, because you can just implement your own CTAP2 protocol handler if you wanted to write a bot.
I think the phone will just do basic remote attestation and then do a POST request to Google. Still not exactly difficult to bypass for anyone with a dollar to throw at the click/ad fraud farms, though.
In passkeys the bluetooth is used for the actual authentication protocol...
Sometimes, sort of. Most passkey usage doesn’t involve bluetooth. When it does, there’s no real data being sent over bluetooth, just a meaningless hash that can be confirmed using a secret inside the QR code.
So really, it’s like I said, Bluetooth is used to make sure that the device consuming the QR code is actually near the device that’s displaying the QR code.