> Are they conflating fido2 hardware tokens with “google owns your credentials, and you can’t back them up” passkeys?
Passkeys are an open standard, not a Google SSO service. You can use it with Apple devices (where passkeys shipped well before they did on Google devices), 1Password, etc. without having a Google account at all.
The concern around backups is partially true (backups are possible, exchange between implementations is in progress) and I think that’s where the confusion is coming from: the whole point of passkeys is that your private key can’t easily be stolen and the first implementations did that only within specific services with known characteristics - for example, Apple’s iCloud Keychain robustly backs up the keys (even against complete loss of all devices) but only in that service, which is understandable given their audience and the exposure. All of the major vendors have committed to interoperable private key exchange as things mature and we’re already seeing that with e.g. 1Password and iCloud Keychain allowing you to share keys with other people.
> Passkeys are an open standard, not a Google SSO service
This ignores the practical reality of every single implementation of Passkeys today. The fact is, call them Open all you want, the implementations are almost entirely proprietary. The official dev site says they don't work on Linux (https://passkeys.dev/device-support/) and in fact doesn't even list Linux as a target (only Ubuntu), and doesn't even list plans to support providers on Linux. Numerous people have said that exchange between implementations is in progress, but there's basically zero information about it (the spec process and design of exchange seems to be happening behind closed doors as far as I can tell, or at the very least I don't know where to search to find the meeting notes), and there's no timeline at all about when it will be supported, and in the meantime no major passkey provider from any ecosystem supports transfer.
But that hasn't stopped any of the major providers from launching passkeys to the general public and advocating that people start using them today.
So forgive me for being doubtful that the industry actually cares, because they clearly didn't care enough about this stuff for it to be a blocker in front of asking people today to commit to ecosystems that have zero transfer systems in place if anyone needs them. Vendor lock-in is not a theoretical future concern; every passkey system being advertised to users today is currently vendor lock-in. We are past the point of lock-in being a future concern, today passkeys as they are presented to most users are almost entirely walled gardens and the only silver lining is that we have vague promises that the existing problems that make passkeys user-hostile right now might be fixed in the future.
But that's apparently OK because ordinary users who can't be taught not to reuse passwords will just remember to make multiple keys across ecosystems for every website, and them needing to do that is apparently fine and nobody should complain about it or point out that it's not a reasonable thing to ask nontechnical users who can't wrap their heads around 2FA codes to do. /s
And I don't know, I don't think that people get to use "when the ecosystem matures" when Apple is telling its users to start using the ecosystem today. The ecosystem is mature, the industry has decided the ecosystem is mature enough to launch. The features that are still not implemented are features that the industry has decided were not essential parts of the standard. The industry and FIDO Alliance did not care enough to implement those features before launching passkeys and advertising them to regular users.
----
So passkeys are an industry standard, but I am increasingly doubtful that they are an Open standard in any of the ways that actually matter. Just because the docs are public, that doesn't change the fact that the major implementations are effectively closed silos today. I don't know if I'm being greedy or if I'm spoiled by web standards processes, but I would expect an Open standard to have Open reference implementations that work on every single OS. I think it's weird to have a bunch of proprietary implementations and a spec for providers that is theoretically possible to implement on Linux but matters so little to the FIDO Alliance that the official dev site doesn't even list Linux as a target. Imagine if Matrix didn't have an Open client or server reference implementation. Imagine if that entire process was happening behind closed doors and the only way to get news about what the Matrix devs were working on was to ask on Reddit or Mastodon or Twitter.
Would we call that an Open process?
----
> All of the major vendors have committed to interoperable private key exchange as things mature and we’re already seeing that with e.g. 1Password and iCloud Keychain allowing you to share keys with other people.
Genuinely, not as a joke or a gotcha but as a real request, I would love to see actual documentation about this, because maybe I'm bad at looking but I've gone through the official passkey sites and I search online about this regularly and I can't find official confirmation of this from most of the major vendors. Arguably Apple seems to have committed? But it's tricky to actually determine that because I'm never sure if they're talking about cross-device access or if they're actually talking about transfer.
I would love to see a section on the actual passkey.dev website committing to key exchange, that would make my day. I would love to see confirmation not on Twitter or a blog that companies are committed to this as more than a "nice to have whenever we get to it, but in the meantime just start using them, what's the problem." I would love to be wrong about this, please show me an official document from the FIDO Alliance itself saying that key exchange is going to be part of the standard and is going to be a required part of certification and giving even a semblance of a timeline about when it's going to exist.
1Password constantly gets brought up as evidence that interoperability and lock-in isn't going to be a problem, but 1Password does not support transfer between ecosystems and while they have said on Reddit that they are interested in avoiding vendor lock-in, I can't find official confirmation of that on the site and there is no timeline or details about how that's going to work. And again "it isn't going to be a problem" doesn't cut it anymore, people are recommending that users start adopting passkeys. It is a problem now. When a system gets launched and recommended to regular users and that system is missing critical infrastructure, that's not a future problem anymore; now it's a current problem.
Passkeys are an open standard, not a Google SSO service. You can use it with Apple devices (where passkeys shipped well before they did on Google devices), 1Password, etc. without having a Google account at all.
The concern around backups is partially true (backups are possible, exchange between implementations is in progress) and I think that’s where the confusion is coming from: the whole point of passkeys is that your private key can’t easily be stolen and the first implementations did that only within specific services with known characteristics - for example, Apple’s iCloud Keychain robustly backs up the keys (even against complete loss of all devices) but only in that service, which is understandable given their audience and the exposure. All of the major vendors have committed to interoperable private key exchange as things mature and we’re already seeing that with e.g. 1Password and iCloud Keychain allowing you to share keys with other people.