This. All of this. Passkeys are a great idea, but the walled gardens are a huge problem. Also, services placing additional requirements (e.g., attestations) that potentially violate your privacy and anonymity.
Just now, at least in Europe, there is a huge push to force users to authenticate themselves with their actual identity, even for ordinary Internet services. This is happening simultaneously in many countries (including non-EU countries like Switzerland). It almost has to be a coordinated effort....driven by whom? Passkeys play into this.
Call me paranoid...
The walls are going to come down. KeyPassX supports passkeys and allows you to export them as you wish. 1Password and Apple Passwords have both said they're going to support exporting and importing of passkeys.
Yes, it's awful during the transition period while the tech matures, but there is a path towards a great future.
…and do you think we can trust Big Tech on their promises, based on their reputation / recent news events?
> KeyPassX supports passkeys and allows you to export them as you wish.
The last time I tried to use passkeys, the desktop was easy. What about mobile? There wasn't a local third-party password manager that could work with passkeys on Android.
Looks like bitwarden supported this since May 2024, and vaultwarden as well. Can be self-hosted, but you're looking for something that doesn't sync at all / local-only?
https://bitwarden.com/blog/bitwarden-passkeys-mobile/
https://vaultwarden.discourse.group/t/passkeys-in-bitwarden-...
Unfortunately KeyPass is pretty fragmented on mobile devices, but there is https://strongboxsafe.com and https://keepassium.com for IOS with passkey support, but I don't know what options there are for Android, but I suspect there are somewhere.
KeePassDX on Android has initial passkey support in a feature branch, not yet ready for general use: https://github.com/Kunzisoft/KeePassDX/issues/1421
> There wasn't a local third-party password manager that could work with passkeys on Android.
sounds like you found yourself a market opportunity…
The only thing I found is that I'm entirely disinterested in passkeys for the next 5 years.
The "tech" of passkeys is trivial in context of authentication. You could argue that it is a UX issue. But I think you cut large companies, that have the ability to develop sensible UX a thousand times over, too much slack for a shitty product.
KeePassX is long dead, and it's not with "key" but with "kee" -> KeePassXC. Thank you :)
Walled gardens are a huge problem, but they are orthogonal to passkeys. We have had walled gardens for a loooong time already. We should fight them, I agree.
But passkeys are just a way of democratising private keys instead of passwords.
Sure, there will be examples of walled gardens leveraging passkeys. But we have plenty of examples of walled gardens that don't need passkeys at all. It's a different problem.
you're spot on. everyone here "keepassX works for me" are just frogs being slow boiled.
passkey are designed in a ways that the attestation party is visible. Tomorrow the coordinated effort will say "too much fraud from providers other than google and apple, sorry" (or something about protecting kids).
> passkey are designed in a ways that the attestation party is visible
Are you talking about the relying party? I don't think it works the way you describe...
I believe they mean that relying parties can use attestation to verify that the client implementation is one they choose to support.
The thing is, it's already the case today, without passkeys. Banks routinely force you to use their own app to login, for instance. And for those that allow you to choose your own password, I'm pretty sure they force you to use some other factor of their own. And it actually does make sense for services that do need the security.
The fight should be "now that we have good third-party authentication thanks to passkey, you should allow us to use those that are secure enough". Not "we don't want that new technology that is superior in many situations because services could force us to use it the way they want, exactly like they already do without this technology".
"Now that I can login using my Yubikey, please don't force me to use your MFA apps because they are provably not superior to my Yubikey".