alt Hacker NewsI believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
Replies
hellojesus • yesterday at 11:41 PM
My desktop doesn't have Bluetooth. Does this mean I'd be doomed even if I had a compatible mobile device?
➕ show 4 replies
g-b-r • yesterday at 11:25 PM
In passkeys the bluetooth is used for the actual authentication protocol...
➕ show 1 reply
CTAP2 requires Bluetooth but I'm not seeing any mention of that protocol here? It wouldn't really solve the "are you a human" thing, because you can just implement your own CTAP2 protocol handler if you wanted to write a bot.
I think the phone will just do basic remote attestation and then do a POST request to Google. Still not exactly difficult to bypass for anyone with a dollar to throw at the click/ad fraud farms, though.