[nivenhuh]

For folks who don't know how passkeys work at a technical level, take a look at this implementation guide: https://webauthn.guide/

I don't get the passkey hate -- moving to public key challenge for authentication is a strong step forward for web security. Each browser / OS safeguards & backs up the private key (and even if that's lost, you can still reset your auth credentials using a normal "forgot password" flow).

[jjav]

> I don't get the passkey hate

The linked article does a quite good job explaining why hating passkeys make sense.

Here's a key quote, but I do recommend reading the whole article.

> Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity.

[tadfisher]

I don't believe this is necessarily true, as far as intent goes. I think Apple and Google focused on a core use case, shipped it, and subsequently lost interest or fired everyone involved.

Unfortunately, this scenario is indistinguishable from one in which they deliberately mishandled the specs in order to lock in users.

[skarra]

Thanks for your faith. I work on the team shipping passkeys at Google. We are very much hard at work to realize the full potential of passkeys. Platform lockin serves no one. That is no one's intent - independent password managers storing passkeys is already a thing today. More interop will come once relevant standards are blessed.

[jiggawatts]

I’m sorry, but you’re either naive or lying.

This is precisely like the imaging standards trying to replace JPG. After two decades of vendors like Google trying to establish a new standard, I can’t send anything other than an SDR sRGB JPEG to anyone, especially to an Android user.

The current post-JPG formats may as well be called “the Apple format”, “Google image”, and “Netflix pics”. There is no practical interoperability to speak of.

I’m seeing the exact same dynamics play out with PassKeys: lip service to interoperability, meanwhile consumers are left twisting in the wind, locked out of their lives because Google can’t play nice with Apple. Or Microsoft. Or anyone else.

“Interoperability is coming” is a statement in the same category as communist dictatorships promising true socialism and freedom… you know. Eventually. Just not now. Or next year… maybe later.

[skarra]

I said "more interop" is coming..

There is a significant amount of interop that already exists, that folks are looking past or just already taken for granted (which is actually fine too!). While on a Windows machine using Edge, you can save a passkey for your Google account to your 1Password vault, and use it to sign in to that Google account on Chrome on Mac (if you have signed in to the same 1Password account on the machines). Or you could use a passkey you saved to your iPhone / iCloud to sign in to the Google account on ChromeOS. This is the level of interop that exists today. This did not just happen magically - all these companies (and more) worked hard to make it happen.

Also speaking for Google accounts, passkeys are an additional option for users. Using a passkey is not preventing you from keeping any other sign in method on your account that you feel has less of the lockin risk.

[jiggawatts]

If you can enumerate the few specific scenarios that work, after “companies worked hard to make it happen”, then there is no interoperability to speak of.

This is like someone from North Korea saying that they are free because they’re allowed to go to three specific cities in China for work.

Interoperability is an afterthought.

Even if that NK citizen is allowed to go to dozens of foreign countries, he’s still not free. There’s a fundamental difference between enumerated positives and enumerated negatives. Interoperability would be if every combination worked with only a handful of exceptions.

PS: Literally just after I made the comment above I had to add a PassKey to PayPal and only 1 of 4 scenarios that I tried worked.

“Sorry, your browser is not supported.”

[CatWChainsaw]

I'll believe you when every home in America has a fusion reactor.

[jhasse]

> This is precisely like the imaging standards trying to replace JPG. After two decades of vendors like Google trying to establish a new standard, I can’t send anything other than an SDR sRGB JPEG to anyone, especially to an Android user.

Android supports WebP since Android 4, HEIF since Android 8 and AVIF since Android 14. They are only missing JPEG XL, but to my knowledge neither iOS nor Windows support that format natively either. Regarding interoperability and support for open formats Android/Google is way ahead of Apple or Microsoft in my experience.

[jiggawatts]

Having a library in the OS and actual interoperability are vastly different things. Not only do most consumer chat apps completely disregard HDR, but even worse, sending HDR images via almost any such channel has a high chance of the colours being mangled or -- at best -- silently converted to 8-bit SDR.

"Ultra HDR is amazing, but can be only viewed as such only on a Pixel phone. If I'm sending a pic to say FB Messenger it doesn't upload as Ultra HDR." https://www.reddit.com/r/GooglePixel/comments/17n0fkh/ultra_...

Also, unlike Apple iPhone users, people with Android phones tend to get stuck on older major versions and can't upgrade. Easily half of all Android phones out in the wild can't correctly tone map or display either wide-gamut or HDR still images.

You mentioned Android 4 and 8, but full support for wide-gamut (Display P3 and Rec.2020) was only supported starting with Android 14: https://source.android.com/docs/core/camera/wide-gamut

Android 8.1 was the first version to introduce any display colour management at all, which was in late 2017: https://source.android.com/docs/core/display/color-mgmt

As recently as May 2019, there were Android developers blog articles with titled "Wide Color Photos Are Coming to Android": https://android-developers.googleblog.com/2019/05/wide-color...

Similarly, mixed SDR and HDR content (i.e.: not just a full screen Netflix-style app) was supported only since Android 13: https://source.android.com/docs/core/display/mixed-sdr-hdr

[conradludgate]

You can absolutely do public key challenge authentication with passwords. You can use argon2 to derive the secret key for your account from your password and use that to encrypt a challenge message