> a forum full of tech people bitching about something that's more secure and more convenient

I don't trust a cloud vendor to own my entire digital life, and I don't want to have to stand up and maintain my own super complex self-hosted passkey service. Passwords are easy, just stuff them in an encrypted text file. I have no idea how to self-manage passkeys.

With iOS, at least, you just backup your phone (locally, no need for iCloud).

That still means I have to depend on Apple to get access to my services, no?

Your keys are synchronized locally. You’re depending on apple to activate new devices.

Hmm, let me try to put this another way: how can I use passkeys such that at no point does my login go through a third party in between me and the service I'm trying to use?

That’s literally how passkeys work: your computer communicates to the remote server with no intermediaries.

Then why is everyone talking about phones? https://hackernews.hn/item?id=42444246 You also said above Apple is involved with a new device or something.

That’s what happens if you need to login from a device which doesn’t have your passkey on it: that device displays the QR code and you scan it with your phone and approve the request.

Still no third parties between you and the remote server.

Okay. How do I get a passkey on a device? Say if I'm using Firefox on Linux.

By consulting the documentation?

https://bitwarden.com/passwordless-passkeys/

https://support.1password.com/save-use-passkeys/

Oh nice, thanks!! That Bitwarden link is exactly what I wanted to see. Open source software, no services to run, no cloud providers or phones involved. That's a much better process than all the weird phone stuff people are talking about all over this thread.

Yeah, the phone stuff is really an edge case for people using something like a work device to access a person account. I’ve tested it but almost never use it.

The public comms around this capability has been terrible, at least towards a technical audience. It all focuses on the "key stored on phones with proprietary OS" model, completely hiding how it actually works. I'm sure that's fine for a general audience, but as someone who doesn't trust these big companies with my whole life, it's an extremely repelling message.

Like the very first sentence on the official passkeys website is, "A passkey allows a user to sign in to apps and websites with the same process that they use to unlock their device (biometrics, PIN, or pattern)." I don't use any of those methods to unlock my Linux laptop! What does unlocking my personal device have to do with logging in to websites? Is it reading my /etc/shadow? What's going on here?? Just terrible.

Oh, it's just a keypairing system. Okay. Why don't they just say that?? How you unlock the private keystore is just an implementation detail, not an inherent property of passkeys.

Thanks again for the Bitwarden link, I'm going to play around with it this weekend and see if I can figure out how it actually works without all the offputting, misleading marketing speak.

Update for anyone who stumbles across this: I've found passkeys are still not ready for prime time :( I tried creating one in Google with Firefox, but apparently they don't allow desktop browsers to create passkeys. I tried setting up Bitwarden to manage local passkeys, but it requires an account on their cloud services or a bunch of work to set up your own local cloud service, which I'm not going to do. Sigh. I was excited to try this, but passkeys are clearly not aimed at people who want to own their own data.

If passkeys are too complicated for me to figure out, I don't think they have any hope for the wider public.

... until you drop your phone in the toilet, that is. Then be prepared to spend weeks resetting passkeys.

I recently had a phone with a bunch of passkeys on it die unexpectedly. I didn't spend weeks resetting passkeys. I just logged into things with my hardware token on my keyring until all the sites I cared to use on my phone had fresh passkeys.

Or if my keyring was in the other room, I'd use the passkey on my laptop or desktop.

Most phones are waterproof and if your toilet holds your phone, laptops/desktops, and recovery keys it’ll also take your password vault because it’s an actually a black hole.

I currently have moat passwords synced with firerox. If I lose or break a device currently, I can restore from another, synced, device. If while using passkeys I lose or break my device, then what?

Any of your other devices will still work, as will your recovery codes, for getting a new device synced.

How would that work without a homogenious setup? Won't all devices need to be with Apple or Microsoft (etc)? Or is there a standard/cross platform solution?