[stavros]

You're right about the level of discourse, and it's become especially obvious to me whenever there's a discussion about passkeys. Everyone keeps repeating the same debunked arguments over and over, with only maybe one argument (attestation) holding some water.

It's too bad, I'm really excited about passkeys increasing authentication usability (and security second, for me), but most people here seem to want to hold on to passwords, as if they aren't both terrible UX and terrible security.

[danShumway]

There is not a single implementation from any major provider, including 1Password, that supports moving passkeys across ecosystems. When asked about this 1Password said that they're trying to lobby FIDO to support a migration spec but they don't have any timeline.

It's not that the arguments have been debunked, it's that advocates seem to almost purposefully misunderstand what people mean when they talk about attestation, portability, and account recovery. Registering multiple devices isn't portability. Keeping keys within a single ecosystem isn't portability.

Additionally, advocates ignore the current state of the ecosystem in favor of only talking about what the ecosystem is intended to be. A nontrivial number of services are using passkeys as a 2FA token. As a result, the current state of the ecosystem is that even ignoring the issue with providers, even websites themselves are not presenting a unified vision of what passkeys are intended to be. It borders on misinformation. No one is in alignment about what passkeys are, and multiple problems are being systematically ignored, and saying that the criticism is "debunked" isn't going to change that fact.

[wkat4242]

Attestation is a big barrier for self hosting which is the only way I'd adopt it.

But afaik the biggest implementation of passkeys (Apple) doesn't support attestation so right now it's not a problem, nobody requires it in order not to lose all the Apple userbase. This may change in the future though.

Another problem is no self hosted toolchain with full cross platform sync but hopefully it'll come.

[lxgr]

Attestation is basically gone – it doesn’t work with cloud sync, which is largely where things seem to be moving.

My main concern at this point is user confusion, followed by platform lock-in.

Or am I missing a way for users migrate from the Apple ecosystem to Google or vice versa, for example, without registering new passkeys for all of their accounts before they trade in their old device (or it breaks and they try to recover on another platform)?

Not even 1Password supports exportable passkeys at this point. Apple even lets me easily share them across accounts (which seems like a huge risk!), but obviously not across ecosystems either.

[wkat4242]

I'm hoping bitwarden will start offering this. After all it's open source and with its own server you can self-host, so once it does we should be able to own it all ourselves. I also have zero interest in this if it means being tied into Google or Apple.

[lxgr]

Bitwarden is planning to release their implementation in October: https://bitwarden.com/blog/bitwarden-passkey-management/

[stavros]

> Attestation is a big barrier for self hosting which is the only way I'd adopt it.

The issue I have with attestation it that I feel that I feel that we're saying "is it a problem?" "no, but it theoretically could be, so let's use passwords instead".

I think that passkeys are better than passwords, even with attestation, and if it becomes a problem, we can complain about it then.

[wkat4242]

Attestation is a huge problem because it can be used to exclude self-hosted systems, which is the only way I would even consider using passkeys. I abhor "sign in with Google/Microsoft/Meta...etc" things too.

For example the admins at my work refuse to "certify" any security keys other than yubikeys. And because those do support attestation it is not possible to circumvent it. For work it's not an issue, they will just have to supply me a key if they want me to use the damn thing, but I don't want consumer-focused sites to use it obviously. Attestation is inherently evil and anti-FOSS.

I just won't opt in to it until attestation is gone, but thanks to iCloud not offering it, it is currently not demanded by any of the sites.

[beej71]

> Everyone keeps repeating the same debunked arguments over and over, with only maybe one argument (attestation) holding some water.

Is there a good web page that summarizes all this? Because I can't tell if I'm wrong or not with some of my questions.