What happens if you use Windows, Mac, FreeBSD, Linux, Android (without Google account!) and iOS? Yes I use all of those daily.
All the implementations I've seen are walled gardens. We really need some self hosted option that is fully cross platform.
Besides the walled garden I definitely don't trust a big tech player with the keys to my entire online life. Besides tracking and telemetry concerns they can block me for any perceived "terms of service violation" usually without much recourse. Or even because I logged in from an unexpected location as recently happened to my Instagram.
Not so much a problem when I hardly have any data in Google. Huge problem when it's the key to everything else.
> We really need some self hosted option that is fully cross platform.
It needs to be supported by the big players too. A self-hosted option isn't enough.
A self-hosted, cross-platform and Open Source provider that's usable with existing services is a requirement for people who are comfortable with technology and who are familiar with the ecosystem to come on board. People like me need that. But if I'm going to advocate that ordinary people use passkeys, then it's not good enough that there would theoretically exist a provider that wouldn't lock them down.
As long as the default option that their OS is telling them to use is locked down and can't import or export, then the only advice I'm going to give them is "don't use passkeys." I'm not going to deal with a situation where they move phones and I have to tell them "oh, you would have been able to sync your passkeys across ecosystems easily, but you chose the wrong ecosystem to go with, so now you can't."
Inconsistent implementations and inconsistent providers will kill passkeys as a general tool.
> It needs to be supported by the big players too. A self-hosted option isn't enough.
But the way WebauthN works, it should be possible for any platform to offer this functionality. I believe 1password already offers cross-platform. But it's not self-hosted which is what I need.
Very common mistake that people make; there are two things that can be meant when people talk about "cross-platform":
1. The ability to use the same passkeys on a Windows/iOS/Android device. 1Password supports this, Apple is moving in this direction with its Chrome extension. Note that this isn't universally supported, but it's getting better over time.
2. The ability to move ecosystems entirely -- ie, the ability to export passkeys from iCloud onto a Windows computer, or to export passkeys out of 1Password into Bitwarden. No major platform supports this, not even 1Password (although they have at least said they're lobbying for it). As far as I know, there is no timeline for supporting this, and FIDO's current position is that they don't want to require it.
The second problem can't be solved by an individual provider, Open Source or not, because there's nothing in the spec requiring other providers to support export/import and no standard about how that export/import should happen. It has to be something that's tackled by the Alliance, and it can't be an optional part of the spec.
If users have to do research about which passkey provider is safe to use in order to avoid vendor lock-in, then I can't recommend passkeys to ordinary people.
----
This is a common confusion, and it's not helped by the fact that passkey advocates often conflate the two ideas; so people come into passkeys and think, "of course they're portable, everyone is telling me they're portable, everyone is telling me 1Password solved portability." But they're not portable; advocates are just using the most narrow definition of the word and are treating limited cross-device support and in-ecosystem backup as if those are the only things that matter. I've seen advocates argue that the problem of ecosystem independence is solved by Yubikeys even though Yubikeys are even less portable than roaming keys and more locked down. Not only can they not be exported to different non-Yubikey ecosystems, they can't even be backed up within the same ecosystem.
Bitwarden could theoretically get passkeys to the point where I would be OK using them because I'd only ever use Bitwarden's implementation and would self-host and the Open Source nature would guarantee that other people could read the data if I needed to move somewhere else. But Bitwarden can't get passkeys to the point where I'll recommend anyone else use them, because there is no way currently to use any other provider without suffering provider lock-in[0].
[0]: And no, before someone else comments otherwise, manually duplicating all of the keys across devices is not a reasonable or accessible strategy for avoiding lock-in.
> we never, under any circumstance, want to allow them to be persisted unencrypted. We don't want vendor lock in any more than you do, but getting everyone to agree on a common spec takes a while. We're trying the best we can to accelerate the process but please understand that defining secure specifications take time.
1Password's position is that it only wants to support export as part of shared standard, my understanding is that they aren't interested in exposing passkeys in a form where it they are unencrypted and the user can inspect them by hand.
1Password is pretty much the only voice I've heard talk about tangible plans for export (part of the reason I use the word "lobbying" to describe them is that they seem to be the member of the FIDO Alliance that I can find publicly advocating for a standard), but I suspect their position reflects the position of other FIDO Alliance members. Absent some evidence otherwise or some FIDO member giving some kind of information to the contrary, I'm assuming that we are not going to get export at all from any of the major providers until every provider agrees on a single standard, and short of individual providers like 1Password lobbying for that to be prioritized, I've seen no information about an official timeline or even any information about where in that process the FIDO Alliance is or whether other providers are interested in working towards that standard.
> But why can't bitwarden be its own provider? I don't understand the constraint there.
Bitwarden can be its own provider. If attestation doesn't go wrong (which is still a risk since lack of attestation for roaming keys is not standardized, we're relying on Apple's goodwill to block attestation on iOS), then Bitwarden will be usable with every service. However, my point is that having only one Open Source provider is not enough to make passkeys worth recommending to ordinary users.
Assuming everything goes well with Bitwarden their implementation might be enough for technical users like me who are familiar with the ecosystem and know how to avoid the many caveats, but ordinary users are going to be locked into proprietary platforms and ecosystems until the export/import situation is sorted for everyone. I can't recommend passkeys as a standard if there's only 1 provider that allows export/import and nobody else is required to work with them.
I don't want to have a conversation with my parents where they find out they can't move between ecosystems because they accidentally used their phone's built-in passkey provider. It's easier and safer to just tell them not to use passkeys.
----
As a side note it's worth mentioning that -- while I assume it will be possible -- I haven't actually seen any confirmation from Bitwarden that they are going to support export either. With an Open Source program it will be possible for someone to add support, but I can't actually say with complete certainty that you won't need to fork Bitwarden and program support yourself if you want to export passkeys. I can't with complete certainty say that someone using Bitwarden's official service instead of self-hosting will be able to export passkeys. I assume they will be able to, I assume there's a branch somewhere on a Github repo I could look at that would show that Bitwarden will allow some form of user-inspectable export.
But I haven't actually found that branch and I can't find any information about what exports will look like from Bitwarden or what format they're considering or if it's just going to be rolled into the existing data vault. If that information is online, it doesn't seem to be in an easily searchable place.
I assume export will be supported in Bitwarden and it'll just be another part of the vault. But it would be nice to get some info about it.
