Comment by the_mitsuhiko
Comment by the_mitsuhiko 12 hours ago
The Austrian version (which I use an appreciate a lot) allows some hardware FIDO2 tokens instead of a smartphone. Guarantee? Not by law but it will be hard for them to take that away.
Comment by the_mitsuhiko 12 hours ago
The Austrian version (which I use an appreciate a lot) allows some hardware FIDO2 tokens instead of a smartphone. Guarantee? Not by law but it will be hard for them to take that away.
You don't have to tell me, I absolutely hate that passkeys support attestation. But there is pressure to support a non smartphone based sign in, and it does exist.
It won't be hard at all to take it away if only few people are using it. And I assume the vast majority is using smartphones and won't understand the need for anything else.
I think it will be hard enough to take it away. The current solution also exists because there are lots of elderly people that do not have a smartphone.
> Guarantee? Not by law but it will be hard for them to take that away.
Last year they removed the ability to register[0] yubikey FIDO2 tokens affected by the EUCLEAK 'vulnerability', despite it not posing any security risk even by their own admission, and nobody seems to have cared. The whole thing screams security theater, they require the much more expensive FIDO2 Level 2 keys for no reason (which limited you to just Trustkeys at the time after yubikeys got banned) while their own sites crashes[1] if you give it a secure password.
At the end of the day, if not it's required by law the only other guarantee you have is a broad userbase that will complain if it's taken away and at least at the moment it's clear that no such userbase exists.
[0] https://www.a-trust.at/de/%C3%BCber_uns/newsbereich/20240905...
[1] https://imgur.com/a/Uyjaoa7