Making end-to-end encrypted AI chat feel like logging in
2 points by manuel
2 points by manuel
Neat. But their service requires a Google account.
AFAIU, this is for recovery and so they can send you emails. According to https://x.com/moxie/status/2005702289865269612 plain, non-Google email is coming.
Synchronize the key across a user’s devices using secure, platform-specific mechanisms.
Okay, you're handing your key to someone. At this point it's no better than Telegram, Whatsapp (or OpenAI, Anthropic in the case of chatting with computers instead of humans) - you just replace the credentialed third-party with Google/Apple.
The trend towards biometric "authentication" is also absurd: Biometrics are public! They can - at most - replace usernames, not passwords.
Biometrics are used to secure access to the key on device; they don’t comprise the key. Most people don’t have a threat model where someone is duplicating their fingerprint and stealing their cell phone.
And to add to this most people do have a threat model where someone gets their passwords.
Okay, you're handing your key to someone.
I just started looking into WebAuthn but I assume that you will be able to manage your passkeys any way you want, just like normal private keys. I don't think you have to hand your key to someone, it's a convenience.
The trend towards biometric "authentication" is also absurd
I tried the demo and my phone defaulted to locking the created passkey with my phone's lock screen PIN. So you don't have to use biometrics.
Passkeys can also be stored in most password managers. Some of which can be self hosted or even local only.