alt Hacker Newsthat's not true. Passkeys have an optional remote attestation capability, which second parties can use to completely enforce aspects of your keys, such as them being non-transferrable or not usable without a screen touch etc.
Replies
vel0city • today at 5:38 AM
This doesn't change the fact it can still be your physical device that remains in your personal control.
I can stash them on a yubikey or similar device and still meet those requirements. It's still only my device, it doesn't rely on other services, etc.
➕ show 1 reply
Passkeys (as defined in the spec) by definition don't.
Non-passkey WebAuthn keys can have additional attestations.