I wrote about this here[1] but it seems like Passkeys are fundamentally incompatible with open source software. I tried them out, and was initially quite excited for them. But it turns out the spec has first-class support for banning passkey clients, which I feel makes the spec incompatible with open source software. The spec authors feel this is a good thing and regularly threaten open source software with bans for not following the spec, and they even maintain a list of non-compliant clients[2], which relying parties could use to ban clients that allow users to manage their own data how they wish instead of how the spec demands.<p>It's a pretty ugly situation, and I'm quite disappointed by this. It could've been a cool technology, but until they straighten out the story of whether users are allowed to own their own data, I cannot support it.<p>[1] I initially wrote this as a pro-Passkey article, explaining how the marketing around Passkeys is ludicrously confusing for what is actually a pretty simple tech. But then I found the spec authors threatening open-source implementations with bans and had to revoke my endorsement. <a href="https://www.smokingonabike.com/2025/01/04/passkey-marketing-is-lying-to-you/" rel="nofollow">https://www.smokingonabike.com/2025/01/04/passkey-marketing-...</a><p>[2] <a href="https://passkeys.dev/docs/reference/known-issues/" rel="nofollow">https://passkeys.dev/docs/reference/known-issues/</a>
An official post: <a href="https://www.ncsc.gov.uk/news/government-adopt-passkey-technology-digital-services" rel="nofollow">https://www.ncsc.gov.uk/news/government-adopt-passkey-techno...</a>