• Kairos@lemmy.today
    link
    fedilink
    English
    arrow-up
    35
    arrow-down
    1
    ·
    edit-2
    9 months ago

    No they fucking won’t. You know that websites are going to be massive throbbing cocks about it.

    “Due to security issues, passkeys for our service must be kept in <Company name>® Secure Passkey App™. Please install the app on your device to continue. This app requires Apple Notification or Google Play services to operate. Must have verified phone number to use.”

      • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.dbzer0.com
        cake
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        1
        ·
        9 months ago

        Unironically this…

        Passkeys don’t work on my rooted device - they seemingly set up correctly, but sites like GH claim your device passkey doesn’t exist when you try to actually login. When you go to the affected site’s account settings to add the device as a passkey again, an error of some kind claims the passkey already exists 🤷‍♂️

        Deleting/re-adding has no effect. Using FF with device biometric passkey auth

        • ChickenBoo@lemmy.jnks.xyz
          link
          fedilink
          English
          arrow-up
          4
          ·
          9 months ago

          I have to do anything passkey based on chrome on Android. No clue why. Had to recover my PSN account like 4 times before I figured out it was a Firefox problem.

    • Suzune@ani.social
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      9 months ago

      Passkeys are an open standard. You need to install a Webauthn-compliant supplicant that talks to the browser. The supplicant can be anything, as long as it does the required protocol. The browser doesn’t care.

      At the moment the browsers are the main problem. They need to open their APIs properly.

      • jj4211@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Problem is part of the standard allows the server to require attestation. So congratulations, they only bless their app, or maybe they only bless iphones.

        If the service ignores that, then yes, it’s great. It’s as yet unpopular so it’s hard to know, but in adjacent industries I have seen them lock down the to the point it’s as asinine as “open your app to continue”

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Counter example Symantics TOTP. https://vip.symantec.com/

        They work with companies to integrate TOTP into their system, but it’s a bastardized version of the open standard. You cannot use standard TOTP software with the Symantic integration.

        They want you to use their proprietary app on your phone.

        You can however, take symantics crazy code, go through a converter, and then use a standard TOTP app.

        But this is a great example of enshitification of an open standard.

      • SuperIce@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        9 months ago

        Not necessarily. I found out that bitwarden can generate a QR code that you just scan with your phone that allows your phone to act as a passkey, no browser support required. I was surprised when I discovered that. I had set up my phone as a passkey in Windows, and Windows can use phones as a passkey directly; on Linux that’s not supported so it just gave me a QR code that worked seamlessly. It’s not like a browser URL, but actually triggers the phone’s passkey authentication, kinda like QR codes for WiFi authentication. Pretty neat.