[Mindless2112]

> If you don't like Google or Apple, use your favorite password manager.

Unless the service you are trying to use requires that you use a particular model of authenticator, which the service provider can enforce via attestation.

[martin_k]

> Unless the service you are trying to use requires that you use a particular model of authenticator, which the service provider can enforce via attestation.

Android's implementation of passkeys currently does not support attestation. https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/nh...

Neither does Apple's, I believe.

[Mindless2112]

Good to know! Hopefully this kills off unnecessary use of attestation.

[oezi]

Isn't it even worse? Browser vendors don't even offer any way to not use their baked-in authenticator? With WebAuthn they offered at least the options of using a security key via Bluetooth/NFC/Bluetooth as alternatives to the device authenticator. I don't see that option with passkeys.

So, there seems no way to use a password manager with passkeys.

[andrewxdiamond]

They can do this with SSO provided by third parties now.

[Mindless2112]

Sure, but passkeys are meant to replace passwords, not SSO (although I won't complain if they do replace SSO).

Most services probably would not restrict you to just one model of authenticator, but it wouldn't surprise me at all to see a service require that the authenticator be backed by a secure element, in which case you could use a security key, a passkey, a TPM, et cetera, but not a password manager. I'd still take that over passwords, but I don't think everyone would.

[minimaxir]

I recently got hardware TOTP keys and I wanted to use them with my financial accounts but all the banks have their own propritary authenticators :(