[drdaeman]

> If you don't like the current solutions, write your own

Do you see all the large vendors cooperating on letting third party Passkey implementations seamlessly replace their own? I don't. Do you think it is realistically (and not theoretically) possible to implement a new solution that would provide the security properties as good as sum of all individual fragmented options? I'm not sure. And even if someone spends enormous resources and makes it all real, there's still that issue of a Yubikey in a safe.

Sorry, but if N implementations require that inconvenient process I've explicitly outlined, having N+1 option still won't fix it.

And it's the standard's fault, not "the implementations aren't there yet". The standard had not addressed this, even though it's pretty much obvious this is going to be an issue on the very first day someone who isn't an ideal customer (100% lifetime loyal to one single vendor) uses Passkeys.

When I'm setting up SSH keys on a host I can either give it a list of all my keys, or CA certificate to trust, but I don't have to grab all the individual devices. Here, I must.

Attestation is another potential issue, but it's not a problem today.

[stavros]

> Do you see all the large vendors cooperating on letting third party Passkey implementations seamlessly replace their own?

Yes, given that I use my open source Solo 2 to log in to any Passkeys-supporting site already. It's not about whether they will support it. It's an open standard, you can use whatever you want.

[drdaeman]

This means you have one single Passkey system. I'm talking about multiple Passkey systems and that there is no way to make it work without a very inconvenient process.

Three arguments:

1. Redundancy and failover. Without backups, "if I'll lose access to that account" is not even a question, "when" is. Unless you have a second Solo 2 in your safe - some day, you will lose that account. You may be able to recover it, of course, but that's another story (a story of security properties of your account and ability to access it without having credentials).

2. Availability. If some device (e.g. an iPhone) won't support your Solo 2 (e.g. you don't happen to carry that Lightning-to-USB-type-A adapter) - you don't have access anymore, even if you have your key with you.

3. Convenience. You may log in only with your single Solo 2 key, but you'll probably want to be able to log in to your websites from your phone, without having to walk to your desk (even if for a few feet) to grab the physical key for every single new website.

I can think of a scenarios where you won't hit those limitations. The problem is, they're not some weird ass case for silly nerds - they're real situations that are gonna happen to your average Joe (but he, unlike nerds, won't really think about those until they happen).

[stavros]

Again, though, that's beside the point. If you want a system that provides that, use one. You aren't locked in to any single company. It's an open standard.

[drdaeman]

Again. No system that I know about provides those properties today, so your "use one" advice is, unfortunately, impossible at the moment. Well, without having that rite I've already mentioned a few times (which violates the "convenience" property).

It's an open standard that everyone are building siloed systems on. It's exactly as you have said - I'm not locked in to any single company, but if I have devices or programs from multiple companies that bundle different implementations and don't let others in, I don't have any means to make them interoperate.

This could change someday. Fortunately, there is no fundamental design issue that prevents it. But I'm talking about what exists today and how the standard is bad for not even trying to address it, despite this being a very obvious issue.

[stavros]

I don't think that's the case. Yes, you'll have to wait a little while, but it's not like many sites support this today anyway. Very soon, most password managers will support it (KeePass does today, AFAIK), and then you can use your password manager as your Passkeys provider on all your devices.

[drdaeman]

> KeePass does today

Not yet: https://github.com/keepassxreboot/keepassxc/issues/8214 (and https://github.com/keepassxreboot/keepassxc/pull/8825)

And even if they will, they're at mercy of e.g. Apple letting anyone to replace iCloud Keychain with a third-party password manager. Which is also not possible yet. Probably the same for Android, although I'm not sure what's the situation there today. (But whatever it is, I would say that "well, don't use Apple/Google devices" is not an option for many in the current duopoly.)

All this can be solved, but the issue that is is not - today. So, today, I'm voicing my discontent.

> and then you can use your password manager as your Passkeys provider on all your devices

In an ideal world - yes. Sadly, I can't do this today with passwords, even though the world had spend many decades on trying to make things as seamless as possible. Over last year I've had to manually open a password manager on one device and type a password on another more than a few times.

The most obvious example is logging in to a streaming service on a smart TV - one step away from the normal conditions (scan-QR-code-on-my-phone flow not working) and typing password is the only option. Netflix is gonna love passkeys so users will possibly have slightly harder time logging in on others' devices ;-) BTW, sharing passkeys is also not exactly a solved issue - yet (even though some vendors made some promises).

Then, there's a case of accessing from untrusted devices (say, a net cafe). Theoretically, Passkeys should be a drastically superior solution to passwords - I would be able to plug in a security key, and it won't leak the keys, so even if a machine has a keylogger or network sniffer I'm still fine. In practice, however, enrolling a physical security key (Yubikey, Nitrokey, Solo) requires having it physically available, so it's always going to be inconvenient - and this is not changing until the standard extends or changes. Worse for multiple keys (I have four so every Webauthn sign-up is a pain in the ass). Because I'm most certainly not installing my password^W passkey manager on some untrusted machine.