> But I think users have the right to build/use software that works how they see fit.
They have, I don't think anyone denies that. But the other side has the right to refuse working with them if they find them insecure.
I don't think it is limited to passkeys... I have always been forced to use the authentication chosen by the IT at work, it's not like I can come and say "You know what? Instead of your SSO coupled with your second factor app, I would like to use my own password manager with email and password".
Work IT is different from services being offered to the public, though.
The difference is the security requirements. Services that are fine today with you using just a username+password won't care at all if you use a passkey that is considered unsafe.
Yes they will, because of risk aversion and cargo culting. They won't actually audit a passkey provider or have well-defined security criteria, but they will just require what everyone else requires.
Hmm... why don't they already implement their own authenticator apps, if it's just risk aversion and cargo culting? Again it's totally possible and it already exists.
I currently, exclusively use my Yubikeys as passkeys, and it works everywhere where passkeys are available. So I don't personally see a problem.
What I see is that people complain because of some kind of disagreement that happened between some people on the Internet about the passkey implementation in KeepassXC. And nothing about that materialised.