alt Hacker NewsThe interesting thing about Passkeys is that they are only ever output in the client create() call, and the platform does not retain them for disclosure after that, so if you don't send them out of the origin boundary, they are treated like a virtually secret value by the platform. It's ironic, because the WebAuthn/Passkey authors (who I know some of) explicitly treat the public key as a sensitive value, and built system assumptions around that, which is what makes this possible. It's a rather gross hack, can't deny it that, but there are a group of use cases for which it is a better fit than any of the far more ugly flows many non-P-256 self-custodied key use cases are accomplished with today.
> they are treated like a virtually secret value by the platform
"virtually" is the problem
for webauthn the public key isn't revealed to everyone for privacy reasons, not cryptographic reasons
the webauthn API is also only part of the cryptosystem
the platform authenticator (yubikey, windows hello, password manager, whatever) may have an API to list stored public keys without any authentication at all
because they were never intended to be protected