> If the website accepts a password, then it can't prevent you from using the password manager you want. But if the website accepts FIDO2 passkeys, it's the same thing, isn't it?
Those sound like requirements similar to those that can be enforced with passwords. My company enforces an SSO system with an MFA scheme that is controlled by the IT department. I can use my password manager for the password part, but I must use the mandatory MFA app.
In that sense, I am not sure it is so different from passkeys?
Now you are not comparing passwords with passkeys anymore, but MFA with passkeys. Not sure what the point is in the context of the discussion.
> In that sense, I am not sure it is so different from passkeys?
Yes, if it means "company specific SSO* and a company chooses to force you to use the hardware they decided on, then that is in fact not very different from the passkey constraints.
For example: https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselec...
> If the website accepts a password, then it can't prevent you from using the password manager you want. But if the website accepts FIDO2 passkeys, it's the same thing, isn't it?
Unfortunately not...