This sort of shit is the reason they will never get me to use their passkey implementation.
The sooner there's a truly portable open source offline version of passkeys I'm all in. Until then I'm sticking with my password manager.
I do feel the only thing you can really trust from Google are the things that make them money. Chrome, and any software that allows them to hook into for advertising money. It makes me worry about go, dart, and flutter. Though the latter two include analytics which you need to disable.
Interesting to see that passkeys make use of CBOR. When I looked at binary JSONs several years ago, Smile was one of my favorites, but CBOR was decent too.
I believe security keys are the offline version of passkeys you're looking for.
I am afraid that websites will somehow disable support security keys and only support passkey implementations from big tech (similar to how websites only offer signin with google, fb , etc).
Can someone clarify if WebAuthn protocol allows for this filtering against hardware authenticators?
I wouldn’t be surprised if you’re right, but I think it’s not all bad to only use auth from big tech - I don’t know if I trust most small companies to implement uname/password auth correctly. Most users recycle passwords too so a leak is really bad.
I think the reason to only support big tech passkey auth is because users (at scale) can’t be trusted to keep track of their hardware keys.
The sooner there's a truly portable open source offline version of passkeys I'm all in. Until then I'm sticking with my password manager.
I do feel the only thing you can really trust from Google are the things that make them money. Chrome, and any software that allows them to hook into for advertising money. It makes me worry about go, dart, and flutter. Though the latter two include analytics which you need to disable.