[xg15]

> There's no lock-in, because the key is portable (unless you don't want it to be).

> There's no security issue, because it's unphishable and can be unstealable if it's in hardware.

You mean, you can (in theory) choose whether you'd rather have a lock-in or a security issue. Both options are mutually exclusive, you can't have them both at the same time.

[stavros]

No, I don't. You don't have to use Google's thing, use an open source password manager that syncs via Dropbox or whatever. Same thing, different vendor.

[xg15]

Sure I can. But then, if an attacker gains access to my device, so can they. They can just set the phone to sync with their own cloud service.

Phishing would also be back on the table: The phishers' narrative would just change to something like "Dear $user, we're upgrading our systems. For technical reasons, please change your sync target to $url, otherwise you will lose access to all your logins. Yours truly, Dropbox"

My understanding was that many of the advertised security properties of passwordless logins stem from the property that no one, not even the owner of the account has access to the key. This renders phishing impossible because the user cannot physically give away the key even if they wanted to.

But that solution is fundamentally incompatible with copying the key to anywhere else.

[stavros]

No, it's not a choice between "lock in" and "security issue". Google is both "lock in" and "security issue". A Solo key is neither.

The tradeoff is, as always, between security and convenience.