• Partner's Experience: At around 11 pm last night, partner tried to change lounge room lights with home light control system. Her account couldn't be accessed as Apple Keychain deleted the Passkey.
• The Dream: In 2019, started writing Webauthn library for Rust in Sydney. Found issues in standard and contributed. Library used by Kanidm for passwordless. Easy and accessible authentication with security keys on devices like iPhone and Android. Motivated to improve webauthn-rs.
• The Warnings: Chrome controls a large browser market and tightly controls development. Example of Authenticator Selection Extension not implemented by Chrome and removed. Justification was that authenticator discrimination is not good. Chrome has internal feature flags. Many decisions are made at F2F meetings excluding international participants.
• The Descent: In 2022, Apple announced Passkeys. A thought leader at FIDO conference said Passkeys are resident keys, excluding security keys. Resident keys have low storage limits.
• The Enshittocene Period: Passkeys are now used to capture users. Chrome and Safari force hybrid (caBLE) method. Android doesn't activate security keys. Github Passkey threads show issues like filled resident key slots and platform bugs. Apple Keychain wiped Passkeys multiple times. Users are disappointed. Workgroup is adding complex JS apis without resolving core problems.
• The Future: Passkeys will fail among general consumers. Corporate interests overrule user experience. Password managers are better. In enterprise, attested security keys have rough edges. Will continue to maintain webauuthn-rs and related projects. In Kanidm, looking into device certificates and smartcards.