It's completely legitimate for someone to be annoyed about forced sync. My guess is that Apple is worried people will turn off syncing without knowing the implications, but. I want users to have that option and I have some disagreements about whether services should be able to block it, but I do want it to be an option rather than a requirement. There's really no system where synchronizing to the cloud and syncing between devices/ecosystems ought to be required for the user. Regardless of whether or not there's support for exporting/importing, you should as a user have the option to not send your passkeys to iCloud. I'm not sure everyone realizes that you don't get a choice whether or not Apple passkeys are synced to iCloud, you can't create a passkey from Safari unless iCloud syncing is turned on. > And as a user, I don’t trust Apple's or Google's sync backends enough to store my most important credentials there I would love to check off the attestation problem from my list. Again, if anyone has documentation proving me wrong, please share it.
It would effectively make it impossible for any serious service to block anonymous attestation.īut my guess is that they probably just eased up on the hardware part of it and that they're still allowing requests to ask if the key is coming from an Apple device.
If Apple went full-anonymous with its passkeys and did not even sign the request to verify it was coming from an Apple device, that would be a really big deal for me. Originally at least, passkeys did support attestation in the form of reporting which authenticator had issued the passkey. > What would they even attest to, given that the credential is effectively not bound to any secure hardware? I think attestation is harmful and should never have been part of the spec. ) but I would be very happy to be proven wrong about that. My understanding is that iOS does still very much support attestation (. I'd love some kind of reference for this. We still need buy-in from the FIDO alliance itself that importing/exporting keys is an important part in general of being a passkey provider.Īnd we still need to see how the attestation situation is going to play out ( see note above) and whether there are going to be any consequences at all for sites that just try to block anything except mainstream devices ( see note above, the consequence would be losing iPhone users). It absolutely does, it's just only a first step. That's not to say that an Open implementation of a platform authenticator doesn't matter. It'll still be a situation where if a family member loses their iPhone and they haven't synced keys to other devices already, their only solution is to buy another iPhone like a good little consumer. This is still going to be a situation where if you export your keys from KeePassXC, you won't be able to import them into anywhere.
#KEEPASSXC QUICK UNLOCK ANDROID#
To where? This is still going to be a situation where a family member tells me they're interested in switching to Android and I have to tell them that they'll have to one-by-one transfer their login information. Okay, let's say you can export and import from KeePassXC. That last point is possibly the biggest problem, and it's part of why I've been pushing that this needs to be part of the spec. Compatibility with other platform authenticators. Support for platform authenticators on Linux for Firefox and Chrome (Chrome currently has "no plans" to support this). So assuming it is true (which it looks to be) this shouldn't be an issue.) Extremely big deal because nobody is going to want to cut off Apple keys, which effectively means those services can't require attestation. ( Edit: it's been pointed out below that Apple is getting rid of attestation for its platform authenticators, and as far as I can tell that's true. Guaranteess that attestation won't be used to block KeePassXC from being used as an authenticator. It's a huge first step, but only a first step.
0 kommentar(er)
