| There are two huge problems with that. (1) Google "strongly encourages"/tricks you to create a passkey even when you don't know what that is or want one and doesn't explain the downsides like having to suddenly pay for support. (2) The status quo is that I can create any password I dang well please for any website, but the new world order is that Google gets to snoop on my affairs and intervene on the website's behalf, and since nobody will implement anything more than the bare minimum I'm going to be beholden to Google for normal day-to-day activities where I wasn't before. Maybe I could buy an iPhone or three and be beholden to Apple and/or Google. Either way, it's not a good world. Yes, it's perfectly reasonable absent any other facts that if Google owns my passkey then they're the people I should pay for support. What's happening instead though is: - They're lobbying websites, apps, and developers, trying to push passkeys as more secure and the future of the web. - All the "getting started" guides only have enough details to actually implement Google and maybe one or two other big actors as providers. - When people have the audacity to sign in with their usernames and passwords, Google interrupts their flow to tell them about how great passkeys are and how it's critical they make one. They don't mention a thing about how irreversible the process is or how it has zero benefit to the user. The UI is slow and janky, so the accept button is likely to accidentally appear over other things the user planned to click. 100k software engineers somehow can't figure out how to debounce on redraw, so that misclick will permanently infect that person's account. And so on. I don't want to use Google for passkeys. At all. The near future doesn't, however, look like one which is amenable to me owning my own signing credentials. I won't have a choice in the matter. My choices are to pay Google (and/or some other megacorp with a direct, by order of the courts nondisclosed, line to DOGE and friends) or GTFO. In the early 1900s this had names like "protection money." More recently we've seen terms like "regulatory capture." Whatever the exact nomenclature, it's terrible. Google is force-feeding a bad solution into the ecosystem and using their clout to ensure that they own a big, steaming piece of the bullshit pie we're cooking. That's the issue. If I buy a support contract from you and complain that GGM is the worst acronym in the world then that's one thing. If you beat my colleagues and I with a wrench till I fork over my hard-earned dollars and loudly proclaim your sainthood whenever I've healed enough from the attack to speak my mind then I don't think I'm the problem, and those saintly/googley claims will hopefully fall on deaf ears. The world isn't as black and white as just looking at who has control of the passkey. |