[sebk]

> This is by design.

I know, and I don't like being forced to make this tradeoff. This protects the hardware vendors, and inconveniences me. It might leave everyone else unprotected, if the alternative ends up being using virtual authenticators like this: https://www.future.1password.com/passkeys/

> No, you just authenticate with your iPad passkey (using qr code)

I also know this, as the paragraph immediately after the one you quoted says. It's also a hassle. It makes me have to have one device to register others, and it makes me have to maintain several sync fabrics, which I don't want to have to do.

To clarify a bit, I don't want Passkeys in Apple's sync fabric to sync with Microsoft. What I want is the ability to have a third-party Passkey manager that can leverage TPMs and Secure Enclaves to generate, export, and import its own key material across devices from different manufacturers. Exactly like how 1Password envisions its future Passkey offering, but backed by hardware.

[kosherhurricane]

> it makes me have to maintain several sync fabrics

Yes, that's the con. That's why 3rd parties like 1password exist. Of course, they have to fight to get their plugins into the Big 3, as the Big 3 want you to use their systems.

But also the pro is that if you lose access to your sync fabric X (security breach, account closure), you can still use sync fabric Y. It's like backup fido2 tokens.

I think the security benefit of passkeys outweigh the small vendor lock-in they might create.

[sebk]

> But also the pro is that if you lose access to your sync fabric X (security breach, account closure), you can still use sync fabric Y. It's like backup fido2 tokens.

This is forced. I'd rather decide to do that myself depending on what my risk tolerance is. The charter of the WebAuthn working group is to provide a phishing resistant authentication mechanism, not an account-closure resistant mechanism.

> I think the security benefit of passkeys outweigh the small vendor lock-in they might create.

Absolutely, but we shouldn't have to choose! I'm not so sure the Big 3's desire for you to use their systems outweigh their desire for you not to get phished (since it also carries a cost for them), so I believe they at least have some incentive to play nice.

[toomuchtodo]

It might inconvenience some, but it is superior for the majority of global users vs passwords and MFA of various strengths and phishing resistance. Can’t solve for everything in one go.

[sebk]

My concern is that without it, people might default to a software implementation that's interoperable. While significantly better than passwords, it's still worse than hardware-backed keys.

> Can’t solve for everything in one go.

Sure, but that's the FIDO alliance working group problem, not ours. As consumers, I believe we should actively ask for these things.

[ndriscoll]

Most people probably should default to a software implementation. Hardware keys are fine for work where IT can send you a new one and your employer eats the cost of their security measures while you can't do work, but for day-to-day life they introduce risks or restrictions I don't want while solving problems I don't have.