Back

@rmondello Is that a normative thing in a standard, or a spicy opinion?

I’m trying to understand what passkeys *are*, and so far I’m puzzled.
https://hachyderm.io/@fvsch/111182221089340118

@fvsch

The latter. The standards body talks about the definition here https://fidoalliance.org/passkeys.

If that doesn't answer one of your questions lmk.

@uint8 Though the FIDO passkeys FAQ also suggests that synced passkeys should be the default user experience:
 
> Syncing is critically important for FIDO to achieve its mission, which is to make sign-in easier and fundamentally safer by replacing passwords in as many places as possible.

> The usability of a password replacement must compete with the convenience of passwords, and one of the primary usability benefits of passwords is that they can be used from any device.

@uint8 So “If it’s device-bound, it’s not a passkey” is a spicy opinion that does not quite match FIDO’s position (since they recommend the language “device-bound passkey”), but it does match the overall intent and intended primary use case of passkeys.

@fvsch

> but it does match the overall intent and intended primary use case of passkeys.

For most consumer users, yes the ability to sync, back up, and restore your #passkeys is a good thing for usability. And it should probably be the default for most/all consumer scenarios.

However, defining "passkeys" to exclude device bound authenticators introduces an ecosystem/UI/UX split for little reason. It's the same technology stack top to bottom outside of the implementation details of the authenticator itself.

We can provide the good default user experience of synced passkeys without taking the freedom from security conscious enterprises/users to use Yubikeys on passkey supported websites.