> If you're finding workarounds to violate the security design, you're not gaining any advantage by using passkeys.

The trouble is, if websites are allowed/encouraged to ban clients, then the advantages you're talking about come with the downside of hard-tying yourself to one of 3 US-based Big Tech companies, because those will be the only ones who will ship clients declared "secure." That's not a trade-off I'm willing to make for something as critical as my service logins. You can already see this happening, almost every article talking about passkeys assumes you're logging in with an Apple, Google, or Microsoft device.

> Then you follow the procedure you would follow for when you'd forget your password. Probably a password reset through email, maybe calling customer support.

This is a downgrade from passwords (and exportable passkeys), where I can just restore it from a backup.

> Just use a password if you want to use a password.

Yeah, that's what I plan to keep doing, unfortunately. What I'm worried about is a password-less future where that's no longer an option and we all have to submit to using one of Android, iOS, or Windows to log in to everything because those are the only clients that can be trusted(TM) to handle the user's data as the big tech companies and governments desire it to be handled. This is a dark future.

You already need to submit to iOS or stock Android for a myriad of banking or government apps that use remote attestation to verify that you are running "untampered" software.

Remote attestation is evil.

FWIW this has not been my experience in the US, I've always been able to use websites for these things. I use my phone for almost nothing important since I don't trust it. But yes, I fear we are heading in that direction too.

I keep seeing this where? What banks don’t allow you to go to their website and use them from your phone? Which government apps don’t also have websites?

Not in the western countries yet, I guess. I live in Thailand and have accounts in two banks and both of them only allow usage through an app that's only available through the App/Play store. Android version of Krungthai's bank app freaks out if you have developer settings enabled (even without changing anything, just enabling the access is enough to lock you out). And to use that app in the first place, you have to go to a branch and have staff set the app for, as passing the facial scan checks is impossible for foreigners.

Several German banks (at least mine, one of the bigger ones) exclusively have you use an app for 2FA, you can still log via the website if you are lucky (as long as you have that one saved) but not do any transactions. So I would call that required.

That's what I still don't understand. Why is "something you have" deemed more secure than "something you know". For a while everyone was harping on MFA, but suddenly passkeys came along and now SFA is fine as long as it's a passkey?

It's not more secure. It's as secure.

MFA is more secure: you combine multiple factors of authentication. You could do password + passkey, password + TOTP token (assuming such tokens are not exportable either), password + biometrics, passkey + biometrics, even TOTP + biometrics would be MFA.

I don't think anyone proposes replacing MFA with passkeys, most proponents are proposing replacing passwords with passkeys.

A second question is "is MFA still necessary when using passkeys", as passkeys are generally more secure than the Welcome1234! type passwords most people use. I'd argue that for quite a few non-critical services, it wouldn't be. More and more services have started requiring 2FA because the damage of accepting passwords alone was too great, and with passkeys I don't believe the same damage would occur.

It'd still be a good to offer the option. In fact, I think passwords should be offered as a second option; combining passkeys with something like TOTP would be close to useless as the same thing you use to validate the passkey probably also generates the TOTP codes.

Amazon actually does MFA with passkeys: you can log in with a passkey but it'll still ask you for a TOTP code. I'd rather combine password and passkey, but at least they're not completely turning off the additional layer of security.

> I don't see where he is threatening anybody?

The threat he relayed was more serious than the threat he made. But it is a threat when a person with influence suggests they may support a punishment.

> If you promise to store a key in a non-exportable format

There was no such promise. The people who wish Passkeys to replace passwords did not demand it yet even.

> There was no such promise. The people who wish Passkeys to replace passwords did not demand it yet even.

The specification states otherwise: https://www.w3.org/TR/webauthn-2/

    A credential private key is the private key portion of a credential key pair. The credential private key is bound to a particular authenticator - its managing authenticator - and is expected to never be exposed to any other party, not even to the owner of the authenticator.

If I lose the device that has all my passkeys, I wouldn't be able to login into my emails either.