How do passkeys make users identifiable beyond being a random token? I recall FIDO shared hardware key serial numbers with websites, but at least on Firefox, it prompts you to deny it.
How do passkeys make users identifiable beyond being a random token? I recall FIDO shared hardware key serial numbers with websites, but at least on Firefox, it prompts you to deny it.
In that case one could argue emails dont make users identifiable either, if the addresses dont contain any meaningful names
A passkey is always one per site. Emails tend to be naturally reused, unless the visitor uses a paid aliasing service (plus trick is trivial to canonize, having a dozen mailboxes on a self-hosted email still associates them with each other, because there's no anonymity set to speak of, and major email providers like Gmail won't let you register an account today without a phone number, credit card, or passport).
And yet your passkey and therefore app access is tied to a singular key connecting that with all the user info.