I've never really paid attention to the passkey push before, but now it's close to mainstream and I do pay attention I'm wondering how come almost no one has been noticing what a huge anti-competitive clusterfuck this is? With a bit of googling I see one guy on hacker news who recognized it and for the rest it's birds chirping, how come no one in the webauthn and FIDO Alliance have been raising the alarm bells? They aren't all on Google/Apple payroll or have Microsoft mandated blinders on. I can understand why the media isn't noticing on their own, they're idiots ... but some smart people should have been seeing the implications.
Two things have always held back webauthn, the need for a dongle AND the lack of backup/syncing facilities. Passkeys solve both, but ONLY inside their ecosystems. The moment you want to work cross-ecosystem you have to use cross-device authentication, which essentially makes your mobile phone a dongle and mostly goes back to sucking the big one (even if you always have it close by, for apps/sites which require user verification that would be done on the mobile, in-ecosystem you could just touch the fingerprint reader or use face id on the device you are using).
Microsoft is going to be dead in the water in the consumer space, because they don't have a mobile phone (they'll have their own apps and by throwing their weight around they might even get FIDO certification even though it's pure software, but even then it will only work in Edge). So now you either have to manually create passkeys both for your mobile AND Windows Hello, assuming the website even supports multiple passkeys, or just do the rational thing ... ditch Windows. Firefox is dead in the water, as a non store app on Chromebook and Mac they aren't getting access to the keychains (though Chromebook doesn't even have a store any more, it's just PWAs now). Competition is dead in the water, what an absolute clusterfuck.
Regulators are going to be 10 years behind the ball on this at this point.
Two things have always held back webauthn, the need for a dongle AND the lack of backup/syncing facilities. Passkeys solve both, but ONLY inside their ecosystems. The moment you want to work cross-ecosystem you have to use cross-device authentication, which essentially makes your mobile phone a dongle and mostly goes back to sucking the big one (even if you always have it close by, for apps/sites which require user verification that would be done on the mobile, in-ecosystem you could just touch the fingerprint reader or use face id on the device you are using).
Microsoft is going to be dead in the water in the consumer space, because they don't have a mobile phone (they'll have their own apps and by throwing their weight around they might even get FIDO certification even though it's pure software, but even then it will only work in Edge). So now you either have to manually create passkeys both for your mobile AND Windows Hello, assuming the website even supports multiple passkeys, or just do the rational thing ... ditch Windows. Firefox is dead in the water, as a non store app on Chromebook and Mac they aren't getting access to the keychains (though Chromebook doesn't even have a store any more, it's just PWAs now). Competition is dead in the water, what an absolute clusterfuck.
Regulators are going to be 10 years behind the ball on this at this point.
Last edited: