The Secure One

X & Passkeys by @rmondello@hachyderm.io

You may have heard that “X”, “the everything app”, is making users re-enroll their passkeys so they have passkeys that are saved for x.com instead of twitter.com.Something that all of y’all should know is that, although passkeys are bound to an origin, passkeys are usable across origins (specific limitations apply). By adopting Related Origin Requests, the X app and website could make use of twitter.com passkeys. (Adopters of Related Origin Requests in production include Amazon, Microsoft, and Ticketmaster.)Forcing users to re-enroll their credentials is categorically technically unnecessary, unless their goal was to ensure users never see “twitter.com” in password manager UI. Hypothetically, if I had to execute on that goal, I wouldn’t set a deadline by which I’d stop accepting twitter.com passkeys, because that’s an inconvenience for users that can turn into a self-inflicted downgrade attack of sorts.