Comment on Google will now make passkeys the default for personal accounts
Natanael@slrpnk.net 11 months agoNo it’s literally in the spec. Passkeys are designed for cross device synchronization. You have to go out of your way to make it local only (or use a different webauthn spec like physical security keys)
atzanteol@sh.itjust.works 11 months ago
They’re just private keys. By nature you can copy them wherever you want. I guess I don’t know why he’s making that distinction at all.
Natanael@slrpnk.net 11 months ago
The original spec is resident keys including TPM protected or hardware token protected keys designed to be impossible to copy. That’s why there’s a distinction.