> There are a number of topics on the horizon, however, with FIDO2, CTAP, and WebAuthn, we are asking websites to trust password managers a lot more. While password managers have long existed, usage is far from universal. But with FIDO2, by design, users have to use a password manager. We are also suggesting that with passkeys, websites might not need to use a second authentication factor. Two-factor authentication has become commonplace, but that’s because the first factor (the password) was such rubbish. With passkeys, that’s no longer the case.
Getting people to give up their 2fa dogma is going to be a huge, annoying debate. In some sense security experts were too successful in instilling the importance of a second factor, but maybe not the reason why it was important (because its too hard to make secure, unique passwords).
> The initial launch of passkeys didn’t have any provision for third-party password managers. On iOS and macOS, you had to use iCloud Keychain, and on Android you had to use Google Password Manager. That was expedient but never the intended end state, and with iOS 17 and Android 14, third-party password managers can save and provide passkeys.
Password managers are already starting to show progress on this front. I've been using the 1password passkey beta on desktop for a while now. I'm really looking forward to having those passkeys on my iOS and Android devices as well.
> We also need to think about the problem of users transitioning between ecosystems. People switch from Android to iOS and vice versa, and they should be able to bring their passkeys along with them.
Getting people to give up their 2fa dogma is going to be a huge, annoying debate. In some sense security experts were too successful in instilling the importance of a second factor, but maybe not the reason why it was important (because its too hard to make secure, unique passwords).
> The initial launch of passkeys didn’t have any provision for third-party password managers. On iOS and macOS, you had to use iCloud Keychain, and on Android you had to use Google Password Manager. That was expedient but never the intended end state, and with iOS 17 and Android 14, third-party password managers can save and provide passkeys.
Password managers are already starting to show progress on this front. I've been using the 1password passkey beta on desktop for a while now. I'm really looking forward to having those passkeys on my iOS and Android devices as well.
> We also need to think about the problem of users transitioning between ecosystems. People switch from Android to iOS and vice versa, and they should be able to bring their passkeys along with them.