Hard pass. I will not use #passkeys and will tell my friends and family to do the same.
So long as attestation part of the WebAuthn spec, it allows companies to lock consumers into using specific passkey managers.
It's exactly like streaming subscriptions. Attestation sets up the dystopia of a paid 1Password account for your email passkey, a paid LastPass account for your utility account passkey, a paid Bitwarden account for your health insurance, etc.
https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better
@atoponce don’t several open source password managers support pass keys though? Or am I not understanding the subtle nature of the problem?
@feoh @atoponce only until they get blocked for putting your users first.
https://github.com/keepassxreboot/keepassxc/issues/10407#issuecomment-1994182200
@CjMalone @feoh @atoponce
And another one that is tangentially related, a certification requirement that enforces users having less control: https://github.com/keepassxreboot/keepassxc/issues/10406
@idiot @atoponce
Yep, it's the same person in both issues! One might think that passkeys solve old problems with fancy new cryptography, but in fact it's good olde public/private keypair authentication served under a different sauce, with vendor lock-in baked right in: phishing resistance is achieved solely through not being able to access the private key using normal means — otherwise the software you use to manage them won't pass the attestation. It's all marketing bullshit!
Security whackos are wild.