Investigate passkeys for phishing-resistant authentication

Passwords are vulnerable to credential stuffing, phishing, and keyloggers. Even with email verification, a malicious app could harvest credentials via a fake login screen.

Passkeys (WebAuthn) eliminate password transmission entirely. The OS handles authentication via biometrics/PIN, and cryptographic proof is sent instead of credentials. Native apps can use passkeys bound to our domain (`login.divine.video`) via platform APIs.

**References:**
- [draft-ietf-oauth-first-party-apps](https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/) §5.1 recommends passkeys
- [WWDC 2022: Meet passkeys](https://developer.apple.com/videos/play/wwdc2022/10092/)
- [Android Credential Manager](https://developer.android.com/training/sign-in/passkeys)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Investigate passkeys for phishing-resistant authentication #9

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Investigate passkeys for phishing-resistant authentication #9

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions