[selykg]

This is all part of the FIDO Alliance, so, a standards based solution that anyone with the wherewithal to implement it can do so. Many password managers have already said they'll be supporting it, as well as major vendors (Google and Apple for instance).

I'm struggling to see your complaint being a valid one. This is basically webauthn, so use a Yubikey or similar device if you wish.

[dane-pgp]

When you say "the FIDO Alliance", you mean the entity that runs a Metadata Service[0] which:

> provides organizations deploying FIDO Authentication with a centralized and trusted source of information about FIDO authenticators.

The aim of this centralized system is to allow revocation of hardware that doesn't meet their unchallengeable opinion of whether you've spent enough money on your device or not. They can similarly require that devices do biometric scanning[1], and be issued by your government, and require you to agree to lengthy (and self-updating) terms of use.

There are actually (at least) two different types of device attestation that FIDO support[2]. One uses a hardcoded on-device private key, that's common between 100,000 devices of the same model, which means that an attacker can brick 99,999 other people's devices just by extracting the key from their own device. The other method requires a certificate from a "trusted third-party Attestation CA", which presumably allows a malicious (perhaps government-mandated) CA to spy on (and filter) every login request you make.

This system is like a dystopian parody of the traditional model of web security, which had no need for "authenticators that have a Trusted Platform Module (TPM) onboard", and which only required CAs to be on a list that the user agent is in control of (and users can add their own CAs to). Instead, what FIDO are building is basically DRM for human identity, with all the corruption and failure modes that entails.

[0] https://fidoalliance.org/metadata/

[1] https://fidoalliance.org/specs/biometric/requirements/

[2] https://research.kudelskisecurity.com/2020/02/12/fido2-deep-...

[stevewatson301]

You'll be out of luck when trying to switch from one ecosystem to another (for example, from Apple to Google).

[selykg]

This is really no different between switching hardware devices.

Step 1. Sign in using your existing device

Step 2. Add your new device

Step 3. Remove your old device (or keep it for a backup)

And if you feel that's going to be a big issue for you, use a 3rd party software based tool like Bitwarden, 1Password, or other tools that have indicated they'll be supporting this. That info will sync between those software based tools and allow you to use whichever devices you wish, across multiple platforms with minimal effort.

[dane-pgp]

> Step 1. Sign in using your existing device

That's possible, unless you are switching device because your previous one broke (or was destroyed/stolen/lost).

I imagine that Apple has very precise data about the reasons why (and situations where) people switch from iOS to Android, and making that switch as unthinkable as possible is part of their user-retention efforts.

[selykg]

Sure, but here's the deal with this. Even with Yubikeys it has always been recommended (as long as I've been involved in these types of discussions anyway) that you should have two of them. If you lose one you have one safely secured that can get you into any service you need to.

This is my general stance on it as well, and one that I think I would still strongly recommend even in this new Passkeys era. That would cover situations where your device is damaged and you can't easily turn the old device on.

Part of this is solved by these keys being synced on each's services, they're synced via iCloud Keychain on Apple's side for instance, so you'd just need to get a new Apple device, sign into your iCloud account and provide the password for iCloud Keychain then you're off to the races. But if in the middle of this you opt to switch from Apple to Android, you're SOL unless you have a backup.

Just my two cents on it, I don't think any of this completely solves the need for backups, but for some portion of people it probably does, and that's those that are unlikely to switch between platforms.

[tjoff]

>If you lose one you have one safely secured that can get you into any service you need to.

Even that is not good enough, by a longshot. This is so much worse than even regular passwords.

It works for corporatiosn. Lost your key? Go to IT and generate a new one.

It does not work for individuals.

[potatoz2]

If you don’t trust yourself to have backup keys, you use the Google or Apple ecosystem. As long as you can get back into your Google or iCloud account, you can get back into every other passkey-protected website. You can also use third-party “cloud” password managers if you prefer.

WebAuthn lets you dial the convenience/security tradeoff exactly however you prefer. I’ll be using hardware tokens, but I’ll be telling non-technical people to use their existing smartphones.

[selykg]

You realize you can have multiple devices for Passkeys, right?

It’s webauthn. Which means you can have one or more of the following, in any mix you wish: yubikey, iPhone, Android device, password manager that has said they’ll support this (1Password, Bitwarden, Dashlane, and probably more).

Password managers will sync the private keys between devices as well. So, as long as you can access your password manager you should be able to use that.

[greatgib]

Remember how gmail was just imap/smtp? etc...

[donio]

Yes, and it still is. I have been using Gmail since 2004 and I very rarely touch the web or mobile UIs. 99% of my interactions with it are through SMTP and IMAP. I don't think that Gmail has fundamentally changed in this sense, it has just gotten very popular.

The various incarnations of their chat services is a better example. Gtalk used to have great XMPP support, even federation for a while. All remnants of that are gone now so I had to stop using it.