> they are treated like a virtually secret value by the platform "virtually" is the p...

blibble • last Wednesday at 2:06 AM • 2 replies • view on HN

> they are treated like a virtually secret value by the platform

"virtually" is the problem

for webauthn the public key isn't revealed to everyone for privacy reasons, not cryptographic reasons

the webauthn API is also only part of the cryptosystem

the platform authenticator (yubikey, windows hello, password manager, whatever) may have an API to list stored public keys without any authentication at all

because they were never intended to be protected

Replies

csuwldcat • last Wednesday at 3:42 AM

It's a deliberate architectural decision that passkey authenticators not allow any retrieval or enumeration of key pairs - they don't even have internal APIs for it. This holds true for all known implementations, as it is a core principle of the system design.

➕ show 1 reply

alt Hacker News

Replies