Dan Romero
@dwr.eth
Why Passkeys aren’t a panacea 1. Passkeys are password-less credentials built on Webauthn. The OS companies — Apple, Google and Microsoft — are responsible for their implementation 2. For most users, Passkeys are usually stored in the OS vendors secure cloud, eg iCloud, to sync across devices. 3. This means that you need to have devices from the same ecosystem — a Mac and an iPhone — for sync to work 4. Naturally, there are plenty of people with a different mobile device vs. computer. 5. Further, OS vendors have been inconsistent with the various features of Passkeys they implement, eg Apple did largeBlob and Google did PRF. 6. Would expect this to take a few more years at a minimum before all the consumer UX kinks are rolled out.
11 replies
5 recasts
67 reactions
Cassie Heart
@cassie
some addendums 7. As others mentioned, external password managers exist with varying degrees of integration with the OS. Most of them do not support specialized extensions – in fact many of the OS-level SDKs do not properly _expose_ those extensions to the password managers, leading to extremely broken experiences. 8. There is work in progress between major webauthn providers to support portability between ecosystems, but not all providers are game for it (Yubico), and as we've seen already, they tend to have conflicting support for different features outside of the basic webauthn NIST keys
1 reply
0 recast
7 reactions
polymutex
@polymutex.eth
Additionally, as far as I'm aware, none of the plans around portability include permissionlessness as a design requirement. (i.e. if BigTechCorp pushes an update that removes the export feature, you are locked in)
0 reply
0 recast
3 reactions
