I've got a big problem with the attestation feature even existing in the spec. I know Apple plans to "zero it out" but if that changed sites could lock out non approved devices. I'd vastly prefer it wasn't part of the spec at all rather than relying upon the whims of a single megacorporation. If they ever drop that cover things will gradually become defacto locked to middlemen anyway.
This is a great point. I'm really happy about Apple's plans, but I have a hard time taking it at face value that there's nothing to worry about here if there's resistance to putting that plan into the spec itself.
Because I start to get suspicious any time a company says, "we're not going to do X, but we absolutely refuse to commit in any meaningful way to not doing X."
There's an implication there. I feel the same way about syncing, honestly:
"Everyone is going to support 3rd-pary sync."
"Can we put it in the spec that they have to?"
"Well, that would be overreaching..."
I think there are a lot of people who have genuinely good intentions, but it still makes me pretty nervous. If we could just trust every company to magically work things out and be compatible with everyone, we wouldn't need industry specifications in the first place. I think it's appropriate to try and standardize the baseline mechanisms users should have to control their keys and preserve their privacy.
Exactly. Middle men are not needed. Passkeys can and should be handled by an open specification. In this way, passkeys will be decentralized and can be supported by anyone and everywhere.
Users should decide by themselves where they want to store the authenticator: be it a separate device or a password manager running on their computer. Authenticator is just an algorithm that uses key material from elsewhere (biometrics, master password, whatever user prefers) to perform the authentication.
Tying the whole thing to a couple of corps is cringy and creepy at the same time. There must be an open standard where everyone can participate.
