You may have heard that “X”, “the everything app”, is making users re-enroll their passkeys so they have passkeys that are saved for x.com instead of twitter.com.
Something that all of y’all should know is that, although passkeys are bound to an origin, passkeys *are* usable across origins (specific limitations apply). By adopting [Related Origin Requests](passkeys.dev/docs/advanced/rel…), the X app and website could make use of twitter.com passkeys. (Adopters of Related Origin Requests in production include Amazon, Microsoft, and Ticketmaster.)
Forcing users to re-enroll their credentials is categorically technically unnecessary, unless their goal was to ensure users never see “twitter.com” in password manager UI. Hypothetically, if I had to execute on *that* goal, I wouldn’t set a deadline by which I’d stop accepting twitter.com passkeys, because that’s an inconvenience for users that can turn i
... show moreYou may have heard that “X”, “the everything app”, is making users re-enroll their passkeys so they have passkeys that are saved for x.com instead of twitter.com.
Something that all of y’all should know is that, although passkeys are bound to an origin, passkeys *are* usable across origins (specific limitations apply). By adopting [Related Origin Requests](passkeys.dev/docs/advanced/rel…), the X app and website could make use of twitter.com passkeys. (Adopters of Related Origin Requests in production include Amazon, Microsoft, and Ticketmaster.)
Forcing users to re-enroll their credentials is categorically technically unnecessary, unless their goal was to ensure users never see “twitter.com” in password manager UI. Hypothetically, if I had to execute on *that* goal, I wouldn’t set a deadline by which I’d stop accepting twitter.com passkeys, because that’s an inconvenience for users that can turn into a self-inflicted downgrade attack of sorts.
The Related Origin Requests (ROR) feature allows an RP to enable a passkey to be created and used across a limited set of related origins.
Mark Dumay (passkeys.dev)