Comment by JeremyNT
1 month ago
This is the crux of the matter.
Maybe conceptually you will be able to run some kind of open operating system with your own code, but it will be unable to access software or services provided by corporate or governmental entities.
This has been obvious for some time, and as soon as passkeys started popping up the endgame became clear.
Pleading to the government definitely can't save us now though, because they want the control just as much as the corporations do.
> as soon as passkeys started popping up the endgame became clear
That's why I'm 100% against passkeys. I'll never use them and I'll make sure nobody I know does.
They're just a lock-in mechanism.
"Passkeys" is a new brand name slapped on an older open, interoperable technology, so it's difficult for me to be "against passkeys" as they haven't fundamentally changed anything.
Before the branding they were known as FIDO2 "discoverable credentials" or "resident keys".
Two things have changed with the rebrand:
1. A lot of platforms are adopting support for FIDO2 resident keys. This is good actually.
2. A lot of large companies have set themselves up as providers of FIDO2 resident keys without export or migration mechanisms. This is the vendor lock-in part (no export feature), but it's not a feature of the underlying tech itself.
Fwiw FIDO are actively working on some standard for exporting/importing keys so that's something.
If you want to use passkeys without lockin, just use Bitwarden or KeepPassXC - they all have full support. Or you can also store a limited number of passkeys on your FIDO2-compatible hardware key like Yubikey or the open-source Nitrokeys.
Except the FIDO Alliance is trying to pressure KeepassXC to remove exporting passkeys in an open format: https://github.com/keepassxreboot/keepassxc/issues/10407
6 replies →
By the way, notice Yubikey did not really release any new series/models and jacked up their price in just a few years. About 50% in 4 years.
The large adoption of those devices and standards did not lower the price.
They probably just banked on the enterprise market where every CISO was pressured to tick the hardware/2FA checkbox. And is then gonna allow to use the Microsoft/Google "software" one because it is hard to manage otherwise.
2 replies →
Passkeys would be wonderful if they removed remote attestation. Remote attestation is still there, so I will not touch it.
3 replies →
For someone who hasn't spent any time thinking about that matter, could you please elaborate your point?
"Passkeys are incompatible with open-source software" https://www.smokingonabike.com/2025/01/04/passkey-marketing-...
10 replies →
Imagine using ssh-keygen, but it locks the private key in a vendor-managed secure enclave. You can't copy it, export it, rename it or do anything wth it.
3 replies →
Do you recommend a password manager to everyone you know? What's the adoption rate?
As a data point: when non technical friends of mine complain against password I tell them to use a password manager. The adoption rate is zero, probably because they don't even know what a password manager is, except the remember password / fill in password feature of their browser. The best I saw, from a not entirely non technical person is passwords on sheets of paper.
I have tried repeatedly to get my wife to use the family 1Password account for things we will both need, with minimal success. She is reasonably technical, she writes SQL, but she just won't do it.
1 reply →
I honestly suggest using Mozilla Firefox built-in password manager, it's enough for most people.
> passkeys started popping up the endgame became clear.
This logical leap puzzles me, as it is completely unrelated to HW lock-in and a rather generic medium.
This is more of a case of OP diverting a topic to shove in his pet peeve on technology they don’t like or understand.
Ironically, if everyone adopted passkeys (the real deal tied to secure enclaves or TPMs), then Android malware could not steal your credentials through any kind of social engineering.
> Maybe conceptually you will be able to run some kind of open operating system with your own code
Why do you think they would even allow this? If you think that governments don't have the incentives or the means to criminalize running non-approved OSes, or the unauthorized use of non-approved hardware, you're insufficiently cynical.
It's hard to enforce, and not dangerous enough. Accessing something serious from this unapproved code is the opposite, and is being locked down. Try running your own code on your phone's baseband processor, or boot your own OS with Secure Boot on.
Should have made open-source components in some key nodes of the ecosystem popular and profitable. But that was a tall order.
Open-source software permeates the Internet infrastructure. Netflix is one of the biggest contributors to FreeBSD code. Tons of TVs run OSS-based stack.
But once it touches the money-extraction path, like DRM, things expectedly lock up.