[stavros]

Well, I disagree. People aren't saying "I want to use this today and can't because X is missing", they're saying "I'm opposed to this technology because X will never be possible", when it will be.

Look at this comment, as the first example I found:

https://news.ycombinator.com/item?id=36237683

It basically says "Passkeys = USB keys", which is wrong. If you don't like the tradeoffs that specific authenticator makes, use another passkey authenticator type.

"Passkeys are strictly less secure" is just objectively wrong.

[zamadatix]

While I do agree that thread is different, it'd make sense to reply to that thread about it instead of this one.

[stavros]

I don't think it is different. I mostly see people dismissing Passkeys as a technology because of X or Y thing that "they don't do", when that's either a mistaken assumption, or something they don't do right now.

[zamadatix]

Mistaken assumptions, sure. What "mostly" people do maybe, it depends on those conversations. What Passkeys might do in the future is irrelevant to whether it makes sense for people to be dismissing them now, though, and confusing/frustrating to read about in these kinds of threads (maybe not other threads).

Today, you can seamlessly sync your passwords, export them, and utilize auto-fill integration across the aforementioned devices. Not "it could be possible based on the design if the manufacturers and apps wanted to do it", it is possible.

Today, it is not possible to do the same on those devices using Passkeys. That's not the same as claiming "it's guaranteed to forever be impossible because of the inherent design of Passkeys" and reading every conversation as such could well be the source of why the misconceptions seem so common. There is little to no guarantee from any of these manufacturers it will ever be possible either, so predicating the conclusion on that possibility of change definitely occuring isn't sensible. Again, not because the Passkey spec can't, the devices/implementations may just not want to. Remember, the spec doesn't require devices and implementations allow it to happen, it just accommodates for the possibility.

If implementations available for people to actually use change in the future, so will the dismissals. In the meantime, the dismissals of what's not possible are not misconceptions just because it's possible it may change down the line. It still remains impossible right now, even though I'm hopeful it will become possible in the future.

And again, sure - other threads probably have a lot of flat mistakes or different claims. But, if I wanted to discuss what other threads are saying, I wouldn't be reading and replying in this one.

[NikolaNovak]

Thank you for eloquently putting this. I am exactly in that boat. I'm reasonably IT savvy but not a security researcher. I help a large number of not tech savvy people with advice.

I don't care to either dismiss or evangelize the technology based on what it may or may not be able to do in the future. My questions are whether these are user friendly and usable today or should I wait and see. I feel all my concerns of "if I and my family adopt this right now, today, on my actual devices, what are my risks and capabilities? How can I safety my family and backup things and set them up for success?" Are answered with "in the future, in theory, somebody somewhere will come up with this solution which is not currently strictly prohibited "