Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Are passkeys somehow signed by Google/Apple? I thought passkeys are like ssh keys.


They are, except they have a vendor ID that allows you to tell which vendor made the device you're talking to. You can get Passkeys by any number of vendors, but any authenticating website can decide to only allow a few vendors to log in with it.


Synchronized passkeys by both Apple and Google don't use that mechanism (attestation).

There's also the AAGUID, but without attestation, every implementation is free to provide Apple's or Google's, should websites ever start requiring that.


> any authenticating website can decide to only allow a few vendors to log in with it.

That's an excellent way of telling your customers you want them to go somewhere else. What's the upside?


I'm not sure, it sounds silly to me. I guess you can mandate "secure" brands?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: