From the HN pushback I think this will end up like IPv6. I get to have nice things and some others likewise - many people get to repeatedly say "Nice things are impossible" and roll their eyes. I guess they're having fun in their own way?
It's nice when we build a non-brainer technology which gets adopted at scale by default, as happened for TLS 1.3, or even when other motives overwhelm the instinctive conservatism (e.g. Let's Encrypt) but that can't always happen and it looks like for WebAuthn the conservatives are going to stick by passwords "From my cold dead hands" etc.
One problem with HN in particular is that there are a lot more decision makers here, so more people whose conservatism means they're going to build, promote and demand worse solutions since the better option is in their minds impossible. That's unfortunate, it means there's a good chance that over the next years I'm going to be using more important services which have terrible authentication on account of somebody senior said "Passwords are good, we should require passwords" and anybody disagreeing was hushed or worse fired. So that's not great, but it is what it is.
Anyway, for the few people who get why this is a good thing but understandably don't trust Microsoft (or Apple, Google, Facebook, I dunno, Epic Games?) I have a suggestion: All of this technology also works fine with a Security Key, which is a thing you can buy from Yubico (or several other outfits, but Yubico is easiest if you have no idea what you're doing) for like $25. And if you - like me - use Security Keys those "But what if I lose it?" questions can be answered by Technology Connections' favourite: The magic of buying two of them.
Security keys (i.e. "roaming authenticators" in WebAuthN language) have significant practical usability and availability downsides.
> "But what if I lose it?" questions can be answered by Technology Connections' favourite: The magic of buying two of them.
And the magic of having to access both of them every time you create a new account anywhere, which probably means you'll keep them both close by – increasing the availability risk.
A more realistic recommendation would be to use an open source FIDO backend such as Bitwarden or Strongbox that let you cross-platform sync and, worst case, export your credentials if the vendor goes down a bad path.
Sure, if you trust Bitwarden but not Apple, you can, as I had assumed was obvious, use Bitwarden's Passkeys and not Apple's.
Personally I would rather have Security Keys, and there are going to be plenty of people like me. Yes, if you need a physical object as an authentication token you will sometimes need to have that object with you, I also thought that went without saying, but it's true in case it wasn't obvious.
Signing up for new accounts which deserve a separate meaningful identity (like a bank account, or a Youtuber's account, or GitHub maybe) is not a common occurrence, in the time since I last got a new Security Key I have added let's see, zero new accounts, so I had to add that key to all the existing accounts, at work and outside, then nothing.
It's nice when we build a non-brainer technology which gets adopted at scale by default, as happened for TLS 1.3, or even when other motives overwhelm the instinctive conservatism (e.g. Let's Encrypt) but that can't always happen and it looks like for WebAuthn the conservatives are going to stick by passwords "From my cold dead hands" etc.
One problem with HN in particular is that there are a lot more decision makers here, so more people whose conservatism means they're going to build, promote and demand worse solutions since the better option is in their minds impossible. That's unfortunate, it means there's a good chance that over the next years I'm going to be using more important services which have terrible authentication on account of somebody senior said "Passwords are good, we should require passwords" and anybody disagreeing was hushed or worse fired. So that's not great, but it is what it is.
Anyway, for the few people who get why this is a good thing but understandably don't trust Microsoft (or Apple, Google, Facebook, I dunno, Epic Games?) I have a suggestion: All of this technology also works fine with a Security Key, which is a thing you can buy from Yubico (or several other outfits, but Yubico is easiest if you have no idea what you're doing) for like $25. And if you - like me - use Security Keys those "But what if I lose it?" questions can be answered by Technology Connections' favourite: The magic of buying two of them.