@canard164 @nsa I think it doesn't have to be a privacy issue. It should be possible to cause the call in javascript to behave as if the user got an empty popup and clicked cancel. It is already possible for a website to request the passkey without asking the user first, it just leads to a popup for biometry and then an empty list after.
I don't know how to solve it, but I think it hurts passkey adoption.
As for the sync, I was under the impression all passkeys on iphone are tied to the Apple keychain. And if you wanted to switch to a non-apple device, you need to re-create all your passkeys.
On MacOs you can install a browser plugin on Chrome, so there is that.
So currently there is no way for me to have a passkey provider that supports sync and runs on all my devices (Windows, Mac, ipad, android, Linux).
And even if there was, my argument was that there is no sync as part of the standard, and almost all users will do whatever is standard. So the vendor lock-in is definitely real.
=> More informations about this toot | View the thread | More toots from gigantos@social.linux.pizza
=> View canard164@mastodon.social profile | View nsa@hachyderm.io profile
text/geminiThis content has been proxied by September (3851b).