I’m sad PGP didn’t become a popular way to log into websites. A challenge-response protocol could have even been built into web browsers. Big tech is reinventing that idea as Passkey, but with a very big tech flavor.
I’m already hearing about restrictions on exporting passkeys and some apps requiring that you’re not running a custom ROM on Android and stuff like that. Makes me worried they’re going to fuck that up and make it restrictive bs
Passkeys or WebAuthn are an open web standard, and the implementation is flexible.
An authenticator can be implemented in software, with a hardware system integrated into the client device, or off-device.
Exportability/portability of the passkey is up to the authenticator.
Bitwarden already exports them, and other authenticators likely do, too.
WebAuthn relying parties (ie, web applications) make trust decisions by specifying characteristics of eligible authenticators & authentication responses & by checking data reported in the responses.
Those decisions are left to the relying party’s discretion.
I could imagine locked-down workplace environments allowing only company-approved configurations connect to internal systems.
WebAuthn has no bearing on whether an app runs on a custom platform: that’s entirely on the developer & platform capabilities to reveal customization.
From what I heard passkeys need google services framework for some reason. Don’t know technical reasons behind it but I would assume its bs given its google.
I’m living this pain with a custom ROM already, with some banking stuff, Google Wallet, WhatsApp passkeys and I think Netflix (haven’t installed it) block you for tripping up Google’s security tests.
If passkeys become a big thing and they’ll start enforcing them and apps that have those security measures I’m going to fucking firebomb something. REEEEEE
I’m sad PGP didn’t become a popular way to log into websites. A challenge-response protocol could have even been built into web browsers. Big tech is reinventing that idea as Passkey, but with a very big tech flavor.
I mean, passkeys are… sort of… PGP… 🤷♂️
I’m already hearing about restrictions on exporting passkeys and some apps requiring that you’re not running a custom ROM on Android and stuff like that. Makes me worried they’re going to fuck that up and make it restrictive bs
Passkeys or WebAuthn are an open web standard, and the implementation is flexible. An authenticator can be implemented in software, with a hardware system integrated into the client device, or off-device.
Exportability/portability of the passkey is up to the authenticator. Bitwarden already exports them, and other authenticators likely do, too.
WebAuthn relying parties (ie, web applications) make trust decisions by specifying characteristics of eligible authenticators & authentication responses & by checking data reported in the responses. Those decisions are left to the relying party’s discretion. I could imagine locked-down workplace environments allowing only company-approved configurations connect to internal systems.
WebAuthn has no bearing on whether an app runs on a custom platform: that’s entirely on the developer & platform capabilities to reveal customization.
Why should my OS be any of their concern?
From what I heard passkeys need google services framework for some reason. Don’t know technical reasons behind it but I would assume its bs given its google.
Yes, they don’t work without Google Play Services. Google didn’t implement passkeys in Android, only their own services.
I’m living this pain with a custom ROM already, with some banking stuff, Google Wallet, WhatsApp passkeys and I think Netflix (haven’t installed it) block you for tripping up Google’s security tests.
If passkeys become a big thing and they’ll start enforcing them and apps that have those security measures I’m going to fucking firebomb something. REEEEEE
Shit like this is why I don’t have a smartphone anymore. I have a brick phone that half the time I don’t even take out with me.