> but this is essentially a threat of blacklisting an entire password manager
I don't think they could blacklist the entire password manager. They can't prevent it from giving you a username/password...
Refusing some passkeys is, to me, similar to refusing passwords that are too short. It may make sense to only accept passkeys backed by a secure element. Companies already force their employees to use a specific MFA app, because they don't want to trust any app out there.
What if websites start adopting passkey-only with instead of offering a username/password option? We could live in a world where services are inaccessible unless you use Google/Apple/1Password/etc as your password manager
> We could live in a world where services are inaccessible unless you use Google/Apple/1Password/etc as your password manager
If services want to force you to use whatever authentication they want, they can. That's what already happens with any service that is serious about security. In big companies, you have to use their authenticator app, their mail client, their messaging system, etc. Often it's Microsoft software. Banks have their own systems, etc.
Now, if a service allows you to use a passkey instead of their own 2FA app, I'd say it's a win. I'm happier using a security key than a Microsoft authenticator. But if they give up on using their own app, they may well set conditions on the passkey you use. And that condition may be "it has to be backed by a trusted secure element".
You won't be able to use a passkey that's deemed unsecure just like right now, you already are not able to just use a weak password with some services.
Again, I'm not saying that being forced to depend on TooBigTech is not a problem: it very much is. But nothing says that services have to do it with passkeys: they could (and should) also accept secure passkeys that don't come from TooBigTech. But they still have a say in what they find secure or not, and that part is okay.
I don’t think we should create standards that make it easier for companies to erode user freedoms and I’d support legislation to restrict what certain companies can/can’t do (banks, Google/Apple, etc)
The discussion about what happens in big companies is completely unrelated to this discussion. In that case the company is the user. They can do/enforce whatever they want and nobody is having any freedoms infringed.
> The discussion about what happens in big companies is completely unrelated to this discussion
It's not, in that they have plenty of technological solutions to address their security concerns. Passkeys don't make it easier.
> I don’t think we should create standards that make it easier for companies to erode user freedoms
We want some degree of security in many services (typically our bank). And we generally can't have it all. Security is a compromise.
> Security is a compromise.
To spell out the quote I allude to above, "give me liberty, or give me death!" We could eliminate a lot of bad things in the world if we were willing to give up freedoms.
Well intentioned but naive security researchers are constructing the very tools that will be used to by governments and corporations to restrict the rights and freedoms of users and I don't think we should stand for it.
> Well intentioned but naive security researchers
If you are still talking about passkeys, I kindly disagree. I feel like many well intentioned but naive people seem to complain about passkeys for reasons that are not justified, precisely because governments and corporations don't need at all passkeys to restrict the rights and freedoms of users. Passkeys won't make it easier for them, it's already easy.