Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Thank you… and Yes you are right… There could be many reasons like greed or could be risk management if you think from both ends of spectrum. It’s sad actually they are developed on the same FIDO2 but insists on being seperate which is weird… Also they feel that regular user wouldn’t be able to set up FOSS passkey provider or may be they lose control over encryption if they share with third party.
Yeah the counter-interoperability of proprietary expansions on FIDO standards sounds a lot like embrace extend extinguish to me. I know engineering standards generally require field revisions but these big corps have a track record of this behavior.
I can see how the FIDO standard’s dID requirement might be an issue at the org level, but even in the case of a fully custom/unknown rooted device they have provisions for using traditional security keys attached to one or more associated devices via USB/BT/NFC. Megacorp platforms might be first to facilitate adoption but the spec absolutely accommodates open provider integration.
I need to experiment with personal security passkey registration and authentication workflows to know how difficult it actually is in practice, but it looks like the equivalent of self-signed certificates are possible anywhere the user controls the stack like self-hosted intranetwork suites that are popular around here.
Thanks again for the write up!