[johncolanduoni]

They're not constrained that way at all. The communication between browsers and various passkey-holding software and hardware is an open standard. There are open-source apps that can hold and sync passkeys. I don't know why everyone keeps repeating this obvious falsehood.

[danscan]

Not sure which way of constraint you're referring to, but WebAuthn credentials are bound to a domain via Relying Party ID.

There's a proposal for cross-domain usage via Related Origins, but that scheme depends on the authority of the relying party, meaning you can't say "I'd like to be represented by the same keypair across this set of unrelated domains"

[johncolanduoni]

I was referring to this:

> Pity that Passkeys are so constrained in practice by browsers, that using them pretty much requires you trust the cloud providers absolutely with all your critical keys.

Passkeys are not constrained so you have to trust cloud providers or anyone else with all your critical keys. The key is resident in whatever software or hardware you want to use, and anyone can create passkey software or hardware that will work with Chrome etc. I'm talking about (and I'm pretty sure the OP was referring to) the other side of WebAuthn: where the credentials surfaced to JavaScript via WebAuthn actually come from and how the browser relays requests that a challenge is signed.

[danscan]

Ah, yes I agree