Good to know.
I thought the whole point of passkeys was to make a secure, open standard that could be adopted widely. It makes sense that they would set it up to allow them to do a rug pull later.
After reading the article and some of the spec. author comments on GitHub, I don’t think they’re setting us up for a rug pull. The problem is that they demand every implementation of Passkey follow strict standards. They have pretty good reasons for these standards. The problem is that they are threatening to ban any implementation at any time if they decide it is not meeting their standards.
That means you could setup a few online logins to use Passkey responses from KeepassXC. The Passkey spec. authors could later ban KeepassXC and you would be locked out of all of those online services.
That is too much of a liability for me.
Wow, that's a deal-killer. Makes me like the open Authenticator approach that just needs a multi-digit code, so it can't know what app you're using (and block it).
Same here. That’s what I’m using right now. KeepassXC can store one time password codes, which gives you control. Having a phone app store them is daft. Having an online service like Google store them is even more daft.
If you want more security you can have a Yubikey store the secret data and use their one time password app (runs on all major OSs) to generate the codes.
The one time password code standard allows you to keep your secret codes in non secure ways, and it lets you keep them in highly secure ways (like a dedicated one time password device). It’s up to you. No one thinks one time passwords are non secure just because you’re allowed to use them in non secure ways.