> Each cloud service account can only have one passkey for Amazon
Assuming that this error message is correct and isn't just badly worded nonsense -- if the FIDO Alliance had any sense at all this would be barred from the spec and Amazon would have to either support correct behavior or skip getting certified and getting an official stamp of approval. I cannot believe that I'm being told by advocates that attestation for roaming providers won't be a problem when they can't even get websites to allow unlimited keys to be linked to an account.
"Websites wouldn't block an authenticator, they'd just be cutting off users", I am reassured while I watch Amazon sniff browser user agents so that it can block specific browsers from logging in. I'm glad that iOS is zeroing out authentication requests voluntarily, but if that error message is to be believed, that's apparently not good enough. It needs to be part of the spec.
> I'm glad that iOS is zeroing out authentication requests voluntarily
Do you mean attestation? If so, I believe that’s mostly out of the picture already, since it does not even make any sense anymore with “cloud-resident” passkeys.
It can’t be what Amazon uses in any case, since I can use 1Password on Chrome, but not Firefox.
> It can’t be what Amazon uses in any case, since I can use 1Password on Chrome, but not Firefox.
Correct, this is not attestation using the spec, but it is blocking off a device for logging into the service. To me, the relevance to attestation is that I'm just not confident that attestation "doesn't make any sense" for companies to pursue while I'm watching a service cut off a browser in a way that also doesn't make any sense for them to do.
I think if attestation doesn't make sense, it should be fine for the FIDO alliance to have as part of certification that any provider implementing the spec should be supported and that roaming passkey providers should all do what Apple is doing and refuse to identify themselves. That's kind of two separate things: roaming providers should refuse to identify themselves, and also services that are claiming to support passkeys should as part of spec implementation not be allowed to do things like cut off a login from a passkey provider either by relying on attestation or by implementing their own hacky solution and doing something like sniffing the user agent.
Assuming that this error message is correct and isn't just badly worded nonsense -- if the FIDO Alliance had any sense at all this would be barred from the spec and Amazon would have to either support correct behavior or skip getting certified and getting an official stamp of approval. I cannot believe that I'm being told by advocates that attestation for roaming providers won't be a problem when they can't even get websites to allow unlimited keys to be linked to an account.
"Websites wouldn't block an authenticator, they'd just be cutting off users", I am reassured while I watch Amazon sniff browser user agents so that it can block specific browsers from logging in. I'm glad that iOS is zeroing out authentication requests voluntarily, but if that error message is to be believed, that's apparently not good enough. It needs to be part of the spec.