| Blegh... to be clear, I'm not trying to be snippy with you in specific, and you're right that it is a big deal for KeePassXC to add support. It's a step in the right direction. Sorry for the sarcasm. I'm just frustrated about stuff like this: > and some sites still ignore Firefox because of missing support > Apple does not work because they have restricted the Passkey creation outside the browser. > Every other password manager browser extension injects same kind of scripts to every page (1Password included), because browsers lack an open API for WebAuthn. These are all failures of the FIDO Alliance. This is a really bad position for implementations to be in, and it is on the FIDO Alliance that doing things like restricting passkey creation isn't a blocker for certification. It's on the FIDO Alliance that there are recommendations going out from passkey providers that ordinary users should start using passkeys via browser extensions when there literally isn't an API for those extensions to hook into yet. If sites are blocking log-in from browsers even just via user-agents, that's on the FIDO Alliance for not shutting that crap down, especially in the occasional instances where the companies doing it are FIDO Alliance members. Passkeys just aren't ready. It's a technology that is conceptually really cool that could in an alternate universe be easy to recommend as a full replacement for passwords -- but because it's getting rushed out with serious caveats and with a complete disregard to user autonomy and freedom or even just consistency between implementations, the first experience most users have with this is going to be awful. Honestly, it's a failure of the FIDO Alliance that to talk about Linux support I need to know the difference between a hardware bound and roaming key; that is too much complication for a password replacement. Especially when the actual documentation about which platforms support what is basically nonexistent. It's just a giant incomprehensible mess. ---- To kind of emphasize the point: I can't give you a genuinely confident answer about whether or not Linux is intended to be able to support devices without gesture or biometric support. KeePassXC doesn't require this as far as I can tell, and nobody is shutting them down so maybe it's OK? But also there is no official acknowledgement outside of social media from the FIDO Alliance that this exists (at least, not that I can find anywhere), and from my own reading of the WebAuthn spec my instinct would have been that biometric/gesture support (validation of user presence) is a device requirement in the spec and that pins aren't a substitute. Am I reading wrong? Is this just a part of the spec we're ignoring? Is KeePassXC doing something behind the scenes to get around that requirement? I don't know. Sure would be nice if there was an Alliance that could clarify those things in official documentation on a user-facing site. But I guess in the meantime I can settle for more Arstechnica and EFF articles about how you should consider using passkeys today... Not your fault, it was good for you to point out KeePassXC. I just don't want people looking at that and saying, "oh, so the Linux situation is solved." It's not only not solved, I don't think I could give a fully accurate description of what the Linux situation even is or what the main problems are standing in front of it, because the current status of the blockers are ambiguous and messy, and the FIDO Alliance does not seem to think that is a problem that is has any obligation to care about. |