r/passkey

▲ 19 r/passkey

whats the benefit of passkeys if not enforced at all?!

PayPal has been shoving in my face for months to create a passkey. I use 1password so I gave in today and set one up.

Logging in now defaults to asking for passkey which the 1password extension happily provides. Okay.

Out of curiousity, I tried to login from a browser that does not have 1password extension. PayPal didn't even bother to ask for a passkey and straight away showed the normal email+pw login mask.

  1. If I can't remove the normal password fallback, how are passkeys more secure?!
  2. Is there really no other way to provide a passkey other than through the browser extension? Sounds flawed, but.. maybe I'm just not getting something here.
reddit.com
u/katerlouis — 9 days ago

Is it just me, or is the WebAuthn / Passkey spec an over-engineered nightmare to implement from scratch?

I’ve spent the last week trying to roll native Passkey support into our database/auth schema without pulling in a massive external provider. I thought it would be a simple browser API call, but holy crap. Decoding the attestationObject from raw binary array buffers, parsing CBOR payload maps in Node, extracting the raw COSE public key format, and mapping the credential IDs safely to a SQL schema, it feels like you need a PhD in cryptography just to let a user touch their FaceID.

Has anyone successfully built a lightweight, pure TypeScript handler for this without exploding their client-side bundle or relying on a bloated third-party library? How are you handling fallback when a device drops cross-platform WebAuthn support?

reddit.com
u/IterateFast — 9 days ago
▲ 29 r/passkey

New website shames high-traffic sites without passkeys

Found this new website https://whynopasskeys.com/ that provides and shames a list of the high-traffic sites of different countries that don't offer passkeys to protect their users.

What I found interesting is that globally only 6 out of 25 are missing but when you go on country level it's usually that +20 out of 25 are missing, so still much work to do.

u/vdelitz — 11 days ago