[vouaobrasil]

That still means dependence on some software product to log-in to basic services. With a password, I don't need to use a software product.

What if I don't want to pay for Bitwarden, or buy a smartphone, or tie my log-ins to my computer? What happens when the WebAuthn standard evolves and only the big-tech companies have solutions for storing passkeys because little software vendors or open-source vendors don't support the standard as well?

What happens when password-based login is phased out because passkeys are SO much simpler...assuming the user acquiesces and signs up for a big tech company's service? Who will be able to choose then?

[sirn]

> What if I don't want to pay for Bitwarden, or buy a smartphone, or tie my log-ins to my computer?

Even with passwords, you'd still need an application or a device for 2FA, unless you keep a pack of scratch cards with you everywhere. So unless you go out of the way to avoid 2FA or use scratch cards, I don't think this change anything from the status quo, only now you have one less thing to remember.

[vouaobrasil]

Well, 2FA was the first step in making devices more entrenched. Passkeys are just the next step. So, it's not exactly passkeys in isolation that is the problem, but the lock-in to technology (and big tech for most people), and passkeys being another discrete but significant step in the process.

[fauigerzigerk]

On the contrary. Passkeys free us from complete dependence on mobile devices (and the telcos that distribute SIM cards) because passkeys can live on any number of desktop computers.

[vouaobrasil]

That is certainly a good point, but it doesn't free "us", only those smart enough not to use their phones for this purpose.

[fauigerzigerk]

I said "passkeys free us from complete dependence on mobile devices". Complete dependence means not having other options. Passkeys give us other options - all of us, not just those of us who decide to use those options at any moment time.

If most people use their phone for login that's fine. Many people don't even have another device.

What we should push for is passkey export, migration and backup features. The most likely lever that big tech could use for lock-in is making it near impossible to move those passkeys out of their closed ecosystems.

[sirn]

I'm curious – if open standards such as 2FA (TOTP) and Passkeys are considered locked-in, what would be a solution in your mind for an authentication scheme that doesn't subject to the inherent problems of passwords (phishing, weak passwords, password reuse, database exposure, etc.) that fits your requirement?

[vouaobrasil]

Reducing our dependence on the internet. If we do that, then internet accounts themselves will be less valuable and less prone to hacking.

[philistine]

So you’d solve the problem of passkeys being, at this very moment difficult albeit not impossible to move, by dismantling the modern financial system?

I do remind you that all money transactions are done electronically. You’d have us go back to checks?

[vouaobrasil]

> You’d have us go back to checks?

I would dismantle big tech first. The banking systems would still exist. But I don't think cheques were too bad.

[LachlanHunt]

If you don't currently depend on a software product for managing your passwords, then you are undoubtedly using weak or reused passwords everywhere. You absolutely should be using a password manager to store unique, complex passwords for everything, and then it's not really a big jump to upgrade to the superior user experience of Passkeys.

[itohihiyt]

> If you don't currently depend on a software product for managing your passwords, then you are undoubtedly using weak or reused passwords everywhere.

Not using software doesn't undoubtedly mean weak reused passwords. You can easily have strong unique passwords without a software product.

[drdaeman]

> With a password, I don't need to use a software product.

Formally, you still need a computing device with software that allows you to input and transmit the password, as well as any related challenges. (E.g. you may have hard time logging in on a device that doesn't have a physical or full virtual keyboard, like a TV - I literally had to grab a laptop and change password once because there was no character on the virtual keyboard that I needed to "type".)

While public-key cryptography isn't really doable on pen and paper, I don't see anything fundamentally wrong with requiring to perform some computations, as long as every step is documented and end-user fully and completely has access and owns their credentials. "You won't have a calculator^W computer" was the biggest lie from my childhood - everyone does, or can, including full control of ownership of the device if desired.

Of course, this is not the case with how Passkeys are currently implemented, as the corporate is extremely hostile against even idea of letting user to export "their" "own" keys.

[ylk]

> What if I don't want to pay for Bitwarden, or buy a smartphone, or tie my log-ins to my computer?

Then you and the people you influence can continue to enjoy getting phished.

> What happens when the WebAuthn standard evolves and only the big-tech companies have solutions for storing passkeys because little software vendors or open-source vendors don't support the standard as well?

For a bunch of companies/gov entities syncable passkeys aren’t secure enough. So they still need to use hardware-bound passkeys on e.g. yubikeys.

Try to read up about a subject next time before you let your imagination go wild and scare equally ignorant people away from more secure alternatives.

Your conspiracy theories even seem to push you to be against using password managers in general. I guess googling around for an offline one like KeePass that’s heavily recommended all around the internet was too hard? KeePassXC even supports passkeys.

[vouaobrasil]

> Then you and the people you influence can continue to enjoy getting phished.

Yes, you are quite right (although I have never been phished). But the spirit of your answer is correct. But that was my point: there is no choice, except to be more tightly integrated into tech, which in my opinion is a horrible thing. Instead, we should lessen our dependence on technology so computer accounts aren't so important after all.

> Try to read up about a subject next time before you let your phantasy go wild and scare equally ignorant people away from more secure alternatives.

I am fully aware that passkeys are MORE secure. If you actually read my post, my argument was not TECHNOLOGICAL, but sociological: I argue merely that the tighter dependence on this technology is a bad thing sociologically, even if it is the RIGHT thing technologically.

My thesis is that passkeys are a symptom of tighter tech integration, perhaps an inevitable one. You are irate because passkeys are the better solution to a technical problem, but I nevertheless maintain that the existence of that technical problem itself is merely a side-effect of a much larger problem for society -- the dependence on a tightly-integrated vertical technology stack. So perhaps YOU should read into the subtelty of my argument before claiming that I am ignorant.

[ylk]

Are you intentionally ignoring the part where I provided reasons for why alternatives to the use of password managers by vendors that (supposedly) cause lock-in won’t go away?

It turns your fear into a hypothetical that you’re more than welcome to discuss but imo it’s disingenuous to frame it as the incredibly big problem you’re framing it as.

[vouaobrasil]

I disagree because the problem of internet lock-in exists today, not a hypothetical future. It is already a big problem.

[thunderbong]

You can self host it

https://github.com/dani-garcia/vaultwarden

I agree with your point though

[ttepasse]

I remember when the whole OpenID/OAuth stuff started with a simple input field to login with your domain name. You could selfhost OpenID or delegate it from your homepage.

Today "distributed login" is "login with you preferred feudal lord".

[lorenzk]

Bitwarden is open source and has a free option. Granted, the app store app is a binary blob outside your control, but you have options.

[justsomehnguy]

> is open source and has a free option

For now. Remember Hashicorp?

> but you have options

If you don't want (or able) to use the 'app store app' what the options are there? What options would be when Google/Apple make a smartphone (and an app on it) a requirement, in the name of security?