[signal11]

This so many times. The cryptography around passkeys is great. An operational consequence that a lot of people seem to miss is lock-in.

I know passkey vendors will say they’re working to make interoperability easier in 2025, and that’s true. Equally the number of users who’ll take advantage of this interop will be a rounding error. The net effect will be even more platform entrenchment.

[dcow]

Unless people use weak passwords today, all their passwords are scattered across various browsers and system autofill, unless they use a PW manager deliberately, in which case they’re “locked in”.

One of the couterpoints here is that while good security might have you adopt one password manager vendor, that vendor is not necessarily the same as your platform vendor. Traditionally this is a way to fight vendor lock in.

[recursive]

You can export your passwords. I've done it and switched vendors.

[hedora]

It is trivial to migrate from lastpass to bitwarden. I’m not sure about all other permutations of password managers though.

[signal11]

There are open source password managers with decent interop. The interop is very crusty csv export / import, but hey, it’s not Hotel California.

With passkeys, the concern is that the platform vendor will become the password manager for a lot of people … Android users will use Google’s built in password mgmt tools, iOS users will use Apple’s. This makes switching that much more difficult.