Thoughts on WebAuthn?
Recently “big tech” (I hate the term, but its use is sometimes justified) has been making a push towards replacing passwords with WebAuthn, a password less authentication technology.
For those unfamiliar, your phone or laptop asks you for your system password or biometrics to verify that you want to sign up or log in to a website, and then shares a site-specific private key to that website for authentication.
While improving the end user's security is a noble goal, I can't help but feel that this is another move by big tech to consolidate its power:
Since it's locked to your on-device credentials, good luck when you want to switch platforms. Or when you realize that you have to buy that iPhone to go along with your Mac (or a Chromebook to go along with your Android) so that it can sync the site-specific keypairs across devices.
You're completely fucked if your devices get stolen. You can't even use borrow your friend's or neighbours phone to complete some essential tasks.
Websites can ask for "attestation", or a verification of the kind of device you're using. Great way to increase user tracking, while at the same time preventing Linux/*BSD (or any other niche OS) users' from logging onto any website asking for said attestation, such as a bank.
Netflix and co are rubbing their hands with glee now that you can't share passwords any more.
I found this really insightful comment on HN, and I'll quote it verbatim:
Once practically everyone has accepted and adopted this system, governments (having already banned E2EE messaging apps by this point) will complain that Big Tech are allowing cyber-terrorists to maintain anonymous identities online and not doing enough to protect the children.
The offices of Apple, Google, and Microsoft would then receive calls from the national tax/anti-trust authorities saying the government was thinking of launching an audit/investigation into those companies and wouldn't it be a shame if something happened to their profit margin that year.
Within a few months we'd see these companies all "voluntarily" release software updates which add a "Citizen ID" field to every FIDO interaction, with those IDs being issued by a government API and verified using a bank card and facial recognition.
What do you think about it?