[xyzzy123]

It seems like the obvious endgame is most people will use very strong auth between their devices and Google / Microsoft / Apple and then federate to everything else. All other workflows will become niche because it's not in monopoly interests to build features that make anything else convenient or manageable.

This is where the incentives push and is why we're unlikely to see usable or easy passkey sync.

I'm sort of ok with this (it will be a net security improvement) but it saddens me a little to see more of the web come under centralised control.

Most people won't fully understand the implications of this, which will be that the right law enforcement request will instantly unlock every service you have access to regardless of jurisdiction.

Plus lots of secondary effects relating to fed auth providers having increasing leverage over the web in general.

[kccqzy]

> the right law enforcement request will instantly unlock every service you have access to regardless of jurisdiction.

You are conflating the old model of "log in with Google" and the new model of Google syncing your passkeys in an E2E way. The latter is more resistant to law enforcement misuse (not 100%, see All Writs Act in the San Bernardino shooter case).

[xyzzy123]

Yep, I agree good outcomes are possible and an e2e sync'd passkey should have better privacy properties than a federated login.

It's a nuanced discussion because in practice today, email provider is regarded as ultimate source of truth regarding identity, except for high security domains e.g. where money is involved (banks, crypto) and it's economically viable for recovery to be high touch.

So having access to a user's email is the first "golden key".

Second is OIDC / social logins.

Third would be passkeys / stored passwords / an unlocked device.

My guess about the future is that OIDC / social login will prove to scale and grow better than direct passkeys in most instances. It's a better, more fully developed model for thinking about and managing identity lifecycle, passkeys themselves are a low level primitive by comparison.

Users will understand it (social login) better, providers will support it better (partly because corporates don't have any way to centrally manage passkeys at scale, nor should they) and finally because of the fallback / recovery problem for sites using passkeys.