Open peterthomassen opened 1 year ago
Would this extend to a completely passwordless login with passkeys as well?
Would this extend to a completely passwordless login with passkeys as well?
In general, why not! But: https://github.com/desec-io/desec-stack/issues/316#issuecomment-1221184243 has a concern about this, namely the complexity of having to deal with attestation / PKI stuff. I'm not too familiar with that stuff (yet). If you know more, can you share what you think about this?
I would generally say that the quality of the authenticators people use for their own accounts is more or less their own business and that there’s therefore no need to pull attestation into the mix just to implement WebAuthn fully. It’s no different from choosing to leave your API keys unprotected.
Attestation is usually used by e.g. corporate environments or banks or whatever that want to enforce strict policies around what’s used for authentication.
https://github.com/desec-io/desec-stack/issues/316#issuecomment-1221184243