Passkeys are vendor lock in and tries to turn a few big tech companies into critical infrastructure. I started to write this post in October 2022 when there was a huge push about the coming utopia of passkey-enabled everything. Until I can run my own passkey server, I won't be using passkeys. Since I don't have commercial cloud accounts, the decision is already made for me, and there's nothing I can do about it. I don't have a Google nor an Apple account. This is the larger issue for our tech-enabled future.
Increasingly, everything is an "app", aka application running on a mobile phone. Even if 90% of these "apps" are nothing more than electronjs/tauri--which is really just an embedded Google Chrome browser-- instance hitting a "web app" on the vendor site. There is zero reason we as users need to use an embedded browser when we could just as easily use a real web browser against the same "app". Even for the apps that are not embedded browsers, a proper website application should be preferred.
How do you install apps? How do you "just download our app!" Increasingly, government services are available through such mobile apps. Just click here on either the Apple or Google store links to download them. What if you don't have an account at either vendor? Want to charge your car? Want to file your taxes? Want to file a complaint? You have to use Google/Apple first, then the app for the service.
There are workarounds, only for Android phones however. You can find one of many apk download sites and try to use them to install proprietary apps. You can try to find an app by the vendor itself (which in my experience is 90% of the time is a link to the Google play store). You can setup a burner Google account and use it for a while, giving them control of your data, and mediating the interactions with the service you want to use, including your own goverment services.
Rather than just be a crank, what are some alternatives?
- Publish the raw APK on your site, point customers at it. Proton and others do this.
- Publish a web app that works 100% in a browser and doesn't require an "app install" at all. Gmail, Fastmail, Discord, Slack, banking, investing all work in a browser 100%.
- Publish your app to F-Droid and use a freedom respecting app store.
How does this relate to Passkeys?
Let's return to the original point. By 100% relying on Google/Apple and maybe others to scrap passwords, you're giving them full control of your life. Lose your apple/google account? Oops, now you've lost access to EVERY OTHER SITE that uses them. Passkeys are vendor lock-in. They want you to stop using passwords and they want sites to stop taking passwords. There are a lot of hand-wavy, future-ish statements in the press releases about how you'll be able to migrate between passkey providers, run your own, etc. I'll wager none of these happen. There is zero incentive for the passkey providers to allow account migration.
And, just like those attempting to run their own email servers are finding, if you aren't part of the cabal of "accepted providers" then your email isn't getting delivered. I get more spam from Google, Microsoft, and Apple accounts than I ever get from anywhere else. Maybe I should block all your servers until you clean up and do some proof of work that you've solved your spam/phishing/attack email problems.
This is the current future with passkeys. A vendor driven solution by a cabal of vendors to lock in users. Maybe, just maybe, others can run their own passkey servers, but I suspect the FUD from the big vendors will be that these "independent passkey servers" aren't inherently trustable and therefore, sorry, you can't really use them to avoid passwords.
I hope I'm wrong and the free and open source software world comes to the rescue here.
Here are some relevant links on passkeys: