Attestation is a big barrier for self hosting which is the only way I'd adopt it.
But afaik the biggest implementation of passkeys (Apple) doesn't support attestation so right now it's not a problem, nobody requires it in order not to lose all the Apple userbase. This may change in the future though.
Another problem is no self hosted toolchain with full cross platform sync but hopefully it'll come.
Attestation is basically gone – it doesn’t work with cloud sync, which is largely where things seem to be moving.
My main concern at this point is user confusion, followed by platform lock-in.
Or am I missing a way for users migrate from the Apple ecosystem to Google or vice versa, for example, without registering new passkeys for all of their accounts before they trade in their old device (or it breaks and they try to recover on another platform)?
Not even 1Password supports exportable passkeys at this point. Apple even lets me easily share them across accounts (which seems like a huge risk!), but obviously not across ecosystems either.
I'm hoping bitwarden will start offering this. After all it's open source and with its own server you can self-host, so once it does we should be able to own it all ourselves. I also have zero interest in this if it means being tied into Google or Apple.
> Attestation is a big barrier for self hosting which is the only way I'd adopt it.
The issue I have with attestation it that I feel that I feel that we're saying "is it a problem?" "no, but it theoretically could be, so let's use passwords instead".
I think that passkeys are better than passwords, even with attestation, and if it becomes a problem, we can complain about it then.
Attestation is a huge problem because it can be used to exclude self-hosted systems, which is the only way I would even consider using passkeys. I abhor "sign in with Google/Microsoft/Meta...etc" things too.
For example the admins at my work refuse to "certify" any security keys other than yubikeys. And because those do support attestation it is not possible to circumvent it. For work it's not an issue, they will just have to supply me a key if they want me to use the damn thing, but I don't want consumer-focused sites to use it obviously. Attestation is inherently evil and anti-FOSS.
I just won't opt in to it until attestation is gone, but thanks to iCloud not offering it, it is currently not demanded by any of the sites.
But afaik the biggest implementation of passkeys (Apple) doesn't support attestation so right now it's not a problem, nobody requires it in order not to lose all the Apple userbase. This may change in the future though.
Another problem is no self hosted toolchain with full cross platform sync but hopefully it'll come.