Comment by vel0city
4 days ago
> people use 2factor authentication and Passkeys without respecting the same truth.
Passkeys are still your keys. You can put them on hardware authenticators you control entirely offline separate of other services. You can store them in software vaults you manage.
that's not true. Passkeys have an optional remote attestation capability, which second parties can use to completely enforce aspects of your keys, such as them being non-transferrable or not usable without a screen touch etc.
Passkeys (as defined in the spec) by definition don't.
Non-passkey WebAuthn keys can have additional attestations.
You don't consider WebAuthn to be passkeys? Why not?
2 replies →
This doesn't change the fact it can still be your physical device that remains in your personal control.
I can stash them on a yubikey or similar device and still meet those requirements. It's still only my device, it doesn't rely on other services, etc.
There are also non-transferrable passkeys which can't be copied between two secure devices, so it'd be hard to get some passkeys onto your yubikey in the first place.
Furthermore, I personally feel that if you can't actually access the bits, you don't truly "own" it.
3 replies →