I think it would be really fun to do a talk that's not just "intro to passkeys" but more "how can you mess up passkey implementation".

discontinuity@infosec.exchange

I think it would be really fun to do a talk that's not just "intro to passkeys" but more "how can you mess up passkey implementation".

I know you can set up SSO so you don't link the SSO accounts immutably to an account. You 100% could do the same thing with passkeys, and I think proposing a talk would be good incentive to learn more about how passkeys work in detail (like how badly could you mess up a passkey request? Or is it really just that robust because the browser controls it? What if you roll your own in a custom app? Maybe the only issues are after the passkey exchange, but that still gives you a rich tapestry of fuck ups to choose from!)

Would you be interested in such a talk? What questions do you have about passkeys?