[jerf]

I've been using them with my BitWarden/VaultWarden setup now for a while. I was also extremely crabby about the idea of tying my accounts to hardware to the point of being unwilling to use them, but this problem is resolved. The resulting user experience is now the best of any login methodology and I remain in full control of my passkeys, up to and including the ability to back them up. I think it sometimes takes a "Never Offer Me Passkeys" from the browser sometime, just like they default to trying to get me to save my passwords into their vaults (and I always have to look up the magic setting to tell them to stop doing that on a new install), but it hasn't been that hard to make work.

I think I've heard that the passkeys providers have an option to force it to be hardware, but I've yet to encounter that, and it would also make me quite cross without a very good reason. I, personally, do not want my accounts tied to any particular bit of hardware, I want it tied to the single (very!) strong password I use for everything.

Edit: Browsing through the rest of this HN conversation it seems the password managers have some PR to do. Many HNers are not aware that password managers, even perhaps the one they are already using, have the ability to store passkeys in them. If HNers don't know, certainly outside of the HN bubble it must be even less well known.

[recursive]

The passkey pitch needs to incorporate this. Last time I paid attention, which was a long time ago, passkeys were non-portable. This is a deal breaker for me, so I wrote the whole thing off. I guess they fixed it.

[donmcronald]

> I think I've heard that the passkeys providers have an option to force it to be hardware, but I've yet to encounter that, and it would also make me quite cross without a very good reason. I, personally, do not want my accounts tied to any particular bit of hardware, I want it tied to the single (very!) strong password I use for everything.

If the functionality is built in, don't be surprised when they alter the deal and force it on you. What are you going to do if no one lets you use or migrate back to a username / password at that point?

We've seen the same thing thousands of times from big tech. They give us a system that's tolerable, but designed to leverage us into a bad position in the future. Once there's a critical mass, they'll flip the switch and we'll all get screwed.

[jerf]

I'm not sure that the big players have a motivation to force us to hardware. If anything, a lot of these entities will be happy to not have you forced to hardware because it's a support headache when people lose hardware.

(Also, be sure to understand that being forced to hardware is not "you must use a phone"... it is specifically "this passkey is locked to this Yubikey and can not by any means be moved to any other device". I don't think we're going to be stuck on that. Plus I haven't dug into the protocol but I'm not sure anything stops BitWarden from just claiming to be hardware.)

That said, my eyes are peeled, and at the moment the momentum is in the other direction, in that they actually headed away from that.

[stubish]

We already saw something similar when 'Login with OpenID' became 'Login with Google/Facebook/Twitter'