1. 9
  1. 4

    Webauthn must be used in a secure context which defeats some phishing tactics

    That’s not where the real phishing protection is. Webauthn defeats phishing because authentication is always bound to the domain. Any signatures made for githubcom.totally.legit.xyz are completely useless for logging in to github.com.

    1. 3

      Regarding personal domains for e-mail. I understand where that argument is coming from, but what about the other side? Using someone else’s domain means you rely on them paying up, rely on them not asking you for money, rely on but being blocked or shown, which Gmail was a couple of times. While I’ve could argue down time is still okay in the context of preventing your account from being stolen I think it’s not so clear cut. After all of you have your own domain you can more easily migrate.