Recent searches
Search options
Administered by:
If you can drop a single device in a lake and lose your credential, it’s not a passkey. Passkeys are backed up and synced across your devices to deliver a great and safe user experience, while also eliminating phishing.
If it’s device-bound, it’s not a passkey. :)
@rmondello This is a *very* spicy take, and I think it's fair to say it's not shared by everyone.
Saying passkeys *must* be synced only serves to exclude folks that have a legitimate need (or want!) to have a credential that's completely under their own control.
@SmartAsABrick Then don’t call it a passkey. :)
@rmondello I don't think that's helpful for users or developers. You can't tell Webauthn to create a synced credential - you can inspect a credential after it's made to see if it's synced.
So what do you label the UI? "Create a passkey or other Webauthn credential"?
Or do you label it "Create a passkey" and let people make a non-synced credential? Maybe you warn people after you create it that it's not a passkey, even when that's the button they clicked?
I don't really love the FIDO alliance definition, but at least it aligns with what developers can design around.
If the goal is to get people to adopt this stuff (which I think it should be, because passwords are just the worst), then trying to push a definition that doesn't align with how the tech works doesn't help, does it?