• Suzune
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    8 months ago

    Passkeys are an open standard. You need to install a Webauthn-compliant supplicant that talks to the browser. The supplicant can be anything, as long as it does the required protocol. The browser doesn’t care.

    At the moment the browsers are the main problem. They need to open their APIs properly.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Counter example Symantics TOTP. https://vip.symantec.com/

      They work with companies to integrate TOTP into their system, but it’s a bastardized version of the open standard. You cannot use standard TOTP software with the Symantic integration.

      They want you to use their proprietary app on your phone.

      You can however, take symantics crazy code, go through a converter, and then use a standard TOTP app.

      But this is a great example of enshitification of an open standard.

    • jj4211@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Problem is part of the standard allows the server to require attestation. So congratulations, they only bless their app, or maybe they only bless iphones.

      If the service ignores that, then yes, it’s great. It’s as yet unpopular so it’s hard to know, but in adjacent industries I have seen them lock down the to the point it’s as asinine as “open your app to continue”

    • SuperIce@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      8 months ago

      Not necessarily. I found out that bitwarden can generate a QR code that you just scan with your phone that allows your phone to act as a passkey, no browser support required. I was surprised when I discovered that. I had set up my phone as a passkey in Windows, and Windows can use phones as a passkey directly; on Linux that’s not supported so it just gave me a QR code that worked seamlessly. It’s not like a browser URL, but actually triggers the phone’s passkey authentication, kinda like QR codes for WiFi authentication. Pretty neat.