Comment on Google will now make passkeys the default for personal accounts
atzanteol@sh.itjust.works 1 year agoThat’s a terrible take … He’s confusing “what it does and how it works” with “how you manage it”.
It’s like saying “don’t call it a password if you write it down”. It’s confusing and unhelpful.
Natanael@slrpnk.net 1 year ago
No it’s literally in the spec. Passkeys are designed for cross device synchronization. You have to go out of your way to make it local only (or use a different webauthn spec like physical security keys)
atzanteol@sh.itjust.works 1 year ago
They’re just private keys. By nature you can copy them wherever you want. I guess I don’t know why he’s making that distinction at all.
Natanael@slrpnk.net 1 year ago
The original spec is resident keys including TPM protected or hardware token protected keys designed to be impossible to copy. That’s why there’s a distinction.