[cmdli]

I would flip this argument around: if the only way to use passkeys effectively is to be locked into a single platform, then passkeys will never take off.

Login with Facebook has existed for years now, but not everybody with a Facebook account uses it, even if they can. Why? Because that vendor lock in means that people are discouraged from using it in all cases. Banks don’t want to use it. Other large websites don’t want to use it. Businesses don’t want to use it internally.

I think that there will be significant enough demand for 3rd party, open solutions that passkeys will succeed. If there isn’t that demand, then it will fail overall.

[briHass]

OAuth/OIDC flow through Facebook (or whoever) doesn't really have the same tight integration into the browser/OS that WebAuthn proposes, however. There's also no compelling reason for 'Website X' to support OIDC with Facebook/Google/Yahoo/other, because there's too many choices and if the provider of choice is down, your site is inaccessible to those users.

The major browsers and OSes already support WebAuthn, so it may be compelling for all 'Website Xs' to implement it, though the linked article presents a (dated) concern that they won't.

That's not the part I'm worried about: WebAuthn as a standard may work almost everywhere, but as a user, your ability to bounce around between browsers/OSes with your secrets coming with you may be restricted.

[politelemon]

None of your observations strike true, perhaps you are assuming too much thought on the part of the average user. People use 'Login with FB' (and others) because it is convenient, there is nothing more to it. It's only a small fraction of the population that are aware that choose to avoid using it due to the potential for lockin.

[spacebanana7]

Yeah the remark about businesses was more persuasive. Banks and other large B2C organisations are much more likely to care about commercial lock in and the compliance risks of using Facebook login than consumer users.

[TRiG_Ireland]

I have Facebook (albeit rarely used) and Google accounts. Many sites offer me the option to sign in with one or the other of those. I've used Google for Stack Exchange, but otherwise would never use these for anything. Both those companies know enough about me already.