Comment by josephcsible

Comment by josephcsible 2 days ago

5 replies

View on Hacker News

That's the "cover story" use case. The real use case is so that passkeys created on Apple devices can only ever move to other Apple devices, and ditto for on Microsoft or Google devices, and the real point of attestation is so that they can force you to use theirs by cryptographically ensuring that you're not using open-source ones like KeePassXC.

skybrian 2 days ago

But the whole point of this new standard is to allow passkeys to be portable:

https://arstechnica.com/security/2025/06/apple-previews-new-...

Reply View 4 replies
  • AlotOfReading a day ago

    As an example, see this issue opened against keepassxc saying that if they continue allowing plaintext passkey export, they're at risk of being blocked once attestation is standardized:

    https://github.com/keepassxreboot/keepassxc/issues/10407

    The goal here isn't maximizing user choice, it's to enforce minimum agreeable standards by the major vendors. It's up to you whether your personal needs wholly align with what they want to mandate, forever.

    Reply View 1 reply
    • skybrian 18 hours ago

      Yeah, I’m okay with that. It’s also true that not just anyone can become a domain registry either, but we still have choices.

      It’s less convenient, but you can always create a new passkey manually for an account.

      Reply View 0 replies
  • josephcsible a day ago

    If that ends up letting attested passkeys be exported outside of the Microsoft/Apple/Google oligopoly, I'll eat my hat.

    Reply View 1 reply
    • skybrian 17 hours ago

      Who uses attested passkeys? (Serious question.)

      Reply View 0 replies