Passkeys: A shattered dream

Reliability of passkeys and iCloud Keychain

  • Several people report years of trouble‑free use of iCloud passkeys and Keychain, casting doubt on claims of multiple total data wipes.
  • Others report concrete failures, including a WebKit bug that broke a GitHub passkey and some iCloud data loss bugs (though often hard to distinguish from app bugs or “can’t find it” issues).
  • Overall: experiences range from “rock solid” to “catastrophic but rare”; root causes are often unclear.

Complex, inconsistent ecosystem

  • Commenters who work with passkeys describe a “matrix from hell”: device type × OS × browser × authenticator (Apple/Google/Microsoft/Yubikey/PMs), each with differing behavior.
  • Linux desktop support is especially rough (no unified OS interface; Bluetooth quirks).
  • Website implementations vary widely: some do passkeys well (e.g., GitHub, Google in some flows), others are buggy or constrained (e.g., PayPal only one passkey; odd flows with TOTP; browser‑specific limitations).

Vendor lock‑in and portability

  • Major concern: most platform passkey stores (iCloud, Google Password Manager, Windows Hello) don’t support straightforward export, effectively tying users to ecosystems.
  • Password managers (1Password, Bitwarden, KeePassXC, Vaultwarden, Proton, etc.) can store passkeys; a few allow export (KeePassXC, Bitwarden via JSON). But import/export across vendors is not standardized and sometimes hidden or discouraged.
  • Attestation can let services whitelist authenticators, raising fear that small or open‑source tools get blocked while big vendors are blessed.
  • Migrating off a platform or manager may require touching every account to enroll new passkeys, which is seen as unmanageable at scale.

Security vs. passwords and MFA

  • Pro‑passkey arguments: strong phishing resistance (origin‑bound challenges), per‑site keys, resilience to server database leaks, and better UX than SMS/TOTP for most users.
  • Skeptics note: with a good password manager and unique passwords, practical gains are smaller; many services still require email/password recovery, undermining “passwordless” benefits.
  • Some worry about losing “something you know” in favor of “something you have/are,” especially under coercive law enforcement or medical incidents.

Usability and mental models

  • Many commenters (including security‑savvy ones) say they still lack a clear, simple mental model of passkeys, especially around lifecycle: backup, device loss, switching OS, and shared accounts.
  • Confusion around cross‑device flows (QR + Bluetooth), mixing passkeys with old 2FA, and platform‑specific prompts leads some to stick with passwords + TOTP/YubiKeys, or to use passkeys only as an additional method, not the sole one.

Meta and future outlook

  • Some see passkeys as promising but immature, hurt by over‑complex specs and corporate incentives for lock‑in.
  • Others view the whole effort as fundamentally misdesigned or captured by large vendors, and prefer established tools: SSH‑style keys, smartcards, password managers, and hardware tokens.