This rant is utterly factless and at an absolute novice level. It is correct that building a passkey-first system (without fallbacks) is not possible today, but that's like going all in on Google Social login and then ranting about why not all users can access the system.
Passkeys are never going to be possible without fallbacks, for the same reason that hardware keys aren't possible: people frequently lose their devices.
And if people let Google handle their passkeys, then it's equivalent to going all in the Google Social login.
Passkeys have absolutely no advantage over using a password manager. If your browser can generate, store and autofill passwords, then we're talking about the same level of convenience.
I don't mind passkeys, but that's only because I use them with a cross-platform password manager that I can trust. And it will be a really long time before I recommend the use of passkeys to my family and friends.
I guess from a tech perspective, we can now create solid connections between clouds and consumer accounts without the need for social logins (device/cloud -> websites). We will be flying to Mars and have self-driving cars, yet we still have to juggle passwords and password managers.
By default in a free country there will always be loads of consumers who have no interest in authenticated activity.
Authentication of all types in every facet of life may not be completely avoidable, but more people are aware of the fruitless friction often involved, plus risk of divulging anything uniquely identifiable for mere consumer acquisitions.
As malicious threats continue to increase exponentially, especially online, you can expect more consumers to withdraw from previously-accepted remote identification schemes altogether, rather than escalate their own personal "identity crisis" at the rate needed to meet the challenge.
>we can now create solid connections between clouds and consumer accounts without the need for social logins
Some casual websites can be more sure than ever who is visiting and whether or not they are a qualified consumer. While at the same time consumers must endure more challenges to access the website, and increasing risk for the disclosure of their information, and are becoming less sure that any website can be trusted at all.
So the anti-privacy enthusiasts have gotten as far as this will take them (at present levels of consumer friction), as mentioned above I expect downward pressure from here.
If anti-privacy is to continue flourishing, they're going to need a whole new level of intrusion from this point.
You're right about the growing friction between security and user experience, especially with the increasing sophistication of threats. However, if we don’t move towards more seamless & secure authentication methods, won’t we risk stagnating in terms of security? The average consumer is at risk, the privacy-savvy user can avoid that easily, the question is how do we help the "average consumer"?
That's the really good question, seems to me the average consumer is being let down the hardest, and they are the most abundant and on whom B2C depends on most.
I think security is already less than stagnant, it's declining under overwhelming force, the same force that presents the risk of consumers stagnating or reversing in response.
Exactly, the average consumer is the most vulnerable in this landscape. Passkeys, in particular, seem like a promising solution to simplify authentication and protect average consumers. With better integration across platforms, could passkeys be the bridge that balances security and convenience for the 'average consumer' without requiring them to be privacy or tech experts? Most of them share much more valuable information in the cloud already (from privacy perspective)…
I think passkeys will bring us automatic authentication, where you can establish an automatic login with consent across all operating systems. The operating system would silently log you in the background. Do you think this could lead to privacy discussions, even if it adds security?
>this could lead to privacy discussions, even if it adds security
These discussions have a lot of catching up to do.
I'm no expert, but I think privacy needs to be the highest priority. The purpose of security measures should be first to preserve privacy, as they work to mitigate other threats if possible.
I just don't think I would be a happy camper with a single point of failure for both identity and security.
Really have no use whatsoever for a Microsoft account or anything like that.
I am one of the Co-founders. We have heard from members of the FIDO2 community who are closer to Apple that this will probably happen. You are right that Apple could also be positioned more as a password manager on other platforms; we have considered this. However, this is not how most people currently perceive it.
Google releasing this functionality to production is relatively new for those outside the passkey community, although it is not surprising when following Chrome Dev.
Overall, the tendency of Apple and Google to focus on passkeys for consumers and make them accessible is an interesting angle. In our blog, we frequently discuss password managers; in fact, we are also 1Password customers. Passage is a part of 1Password that operates in the same field as we do, likely because they recognize a potential threat from Apple and Google in the consumer space.
For companies implementing passkeys this is quite a significant change, because now a Chrome can carry a passkey that used to be a cross-device case before. The ecosystem is getting more complicated...
"Now" why? What's changed? There's no demand for it. The market of people who say "I'd switch to iCloud Keychain if only they had better Windows support" is vanishingly small, and at the end of the day Apple doesn't reap revenue from iCloud Keychain anyway so why do they care if you switch?
A more native and higher quality Apple Passwords app for Windows wouldn't even really solve anyone's problems. I don't know the specifics on how the Windows Hello authentication layer works, but my assumption is: Apple can distribute this app, but this app couldn't just make its passkeys natively available to e.g. Chrome on Windows, without a browser extension which would effectively bypass the app anyway. And, Apple already has a Chrome browser extension.
That is the next interesting point. At the moment, you are right; there is no third-party password manager support on Windows. However, when they integrate synced passkeys, they might offer that. I think, until now, there has been no strategic value in leveraging access management for customers. Once you have a passkey in your cloud, you have a connection with a website forever (unless you revoke it). The future is an automatic login via passkeys (with user consent, of course).
What changed: Apple & Google want to enter deeper into customer connection and at the same time offer a more secure and convenient authentication for their customers.
