I was really excited about WebAuthN, but even as somebody having read the specification several times and having done a lot of experimentation, it's now more or less a mystery to me when I can add which type of passkey to a given website.
Sometimes I get 1Password jumping in; as of lately, Chrome sometimes realizes that I have a native passkey stored in iCloud(!); until recently, there was also Chrome's local/non-synchronized passkeys on macOS; very often, nothing happens and I realize I'm just on the wrong browser for any of it to work (e.g. Firefox on macOS).
I can't realistically recommend this to non-technical friends and family at this point.
I was so excited about WebAuthN. Part of my irritation about passkeys is that I want to like them. It's a cool idea and they could in a parallel universe somewhere be really good. I wish the people working on them weren't systematically undermining my trust in the entire concept.
We have tried to offer / show an implementation of Webauthn-based cross-platform PassKey support over at mailpass.io, where you can mix and match your devices as needed to any one account. The only known limitation at the moment is Mac TouchId via Firefox, which is being worked on by FF community (but could take up to 20 years based on some recent bugfix times over there :\ )
> where you can mix and match your devices as needed to any one account.
I appreciate what you're trying to do and I'm happy for more providers to build implementations, but you can't individually solve the ecosystem problem because you're only one provider. You can't force Apple, 1Password, Google, and Microsoft to all allow import and export from your app. You can't force Amazon not to do attestation or to accept multiple keys, even if you do everything right you don't have the power to force them to go along with you.
This is a problem that has to be solved by the FIDO Alliance; individual providers can't solve it for them. The Alliance itself has to take some responsibility for the direction of the spec they're pushing and for the direction the industry is going. Ecosystem portability is not going to be solved until interoperability is as a mandated condition for certification.
Totally agree FIDO need to sort this out.
Until then, we developers can at least try to show a way forwards where Apple / Google do not own all of your PassKey access
Appreciated!
Shout out to MasterKale (https://github.com/MasterKale/SimpleWebAuthn) for a comprehensive Typescript wrapper for the spec.
The challenge was more around UX and thinking about "if we do not use a password at all, how does this work"
I was really excited about WebAuthN, but even as somebody having read the specification several times and having done a lot of experimentation, it's now more or less a mystery to me when I can add which type of passkey to a given website.
Sometimes I get 1Password jumping in; as of lately, Chrome sometimes realizes that I have a native passkey stored in iCloud(!); until recently, there was also Chrome's local/non-synchronized passkeys on macOS; very often, nothing happens and I realize I'm just on the wrong browser for any of it to work (e.g. Firefox on macOS).
I can't realistically recommend this to non-technical friends and family at this point.