[cmdli]

This is something that I think is a bit of a security tradeoff. Hardware-based keys are absolutely more secure than software ones, but they come with significant usability limitations. I worry that if RPs restrict themselves to only hardware-based keys, then that will kill adoption of passkeys in general and we will be stuck with passwords. Software passkeys are already a significant security upgrade to passwords, and so I would like to see them gain adoption.

In my ideal scenario, users would be able to use software passkeys for most websites, and then have hardware authenticators either for the vault of software passkeys or directly for a few key websites.

[sebk]

Yeah don't get me wrong, I wasn't disagreeing. I think the lack of interoperability is a major risk to adoption, but I also understand why we don't have interoperability today and why we likely never will.

What I'd like to see password manager vendors like you do, though, is to push FIDO and the OS vendors to have richer APIs for interacting with the hardware components that can back keys. To be clear, I don't want to use Bulwark to manage or export passkeys in my iCloud Keychain (I'm confident that will never happen), but I want Bulwark to be able to create a passkey that is backed by a secure element in Mac OS, and then be able request a wrapped version of that key to be exported, and later imported into a TPM running on a Windows OS.