> Seems like vendor lock-in was the goal from the start.
Exactly. The passkey vendors state that the goal was to make phishing not just difficult but impossible. This means plaintext access to your credentials is forbidden forever, regardless of your level of expertise, and regardless of the complexity of the process to export/import them. The purpose of the so-called "secure credential exchange" is once again to prevent you from directly accessing your credentials. You can go from one passkey vendor to another, but you're always locked in to one passkey vendor or another.
Any credential system that makes it impossible to write something down on a piece of paper, take it to a new computer, and login to a website is just a gateway to vendor lock-in. You can manually manage your own ssh keys but for some reason not your passkeys.
As an Apple Mac user, what annoys me the most is that the use of passkeys in Safari requires iCloud Keychain, which of course requires iCloud and an Apple Account. [EDIT: Obviously I'm talking about built-in support. I'm well aware of third-party software, so everyone can stop replying to this now, please!] You can't do local-only passkeys, not even if you take responsibility for backing up your own Mac.
The passkey vendors took some good theoretical ideas, such as site-specific credentials and public-key cryptography, and totally mangled the implementation, making it hostile to everyone except themselves.
This is not true - browsers including Safari support passkeys managed by third-party password managers.
I'm using 1Password with browser extensions for Safari and Chrome on macOS and iOS and it works seamlessly with my passkeys, which are not stored in iCloud Keychain.
> you're always locked in to one passkey vendor or another.
> This is not true - Safari also supports passkeys managed by third-party password managers.
I think you know what I meant and are just being pedantic here for no good reason.
Do you think I'm unaware of 1Password? I don't want to use 1Password any more than I want to use iCloud Keychain.
Technically, pendantically, Safari "supports" anything that third-party Safari extensions support. I'm a Safari extension developer myself. But this is totally different from how Safari supports the use of passwords, which is all built in, requires no third-party software, can be local-only, allows plaintext export/import, etc.
Reading the cfx spec [1], the raw private key is exported as a base64 encoded der. I don't understand what your concern is here. It appears that any cfx export file is not tied to a specific service to service import path, but can be imported into anything, or just used locally with self written tools.
This is merely the exchange format between credential providers, which is encrypted and gatekeeped by the credential providers. None of this is exported to users.
OK I see what you mean. Having the ability to switch between vendors but not the ability to export your data locally (e.g. as plaintext keys) is a new meaning of "vendor lock-in" I hadn't considered before.
Yes. User freedom is not all-or-nothing. There are degrees, and the tech companies are coming up with fiendish new ways to lock away your data from you. So in the case of passkeys, you can technically move your data between vendors, though that can be quite inconvenient as the submitted article mentions, but nonetheless every vendor locks away your data from you, and most vendors have a financial incentive to keep your data away from you, so that you have to pay for the services.
Once "secure credential exchange" becomes supported by commercial credential managers, what's to stop someone implementing an open source password manager that implements the standard and allows local export in plaintext?
Passkeys relying parties can block providers. Tim Cappalli threatened the KeypassXC developers so.[1] The restrictions demanded now do not restrict user freedom significantly arguably. But the incentives and capabilities are clear.
OK but you'd still be able to use the open source "password manager" to export the keys - which solves the issue lapcat raised in this thread - even if relying parties blocked it for authentication, which would be a separate issue.
Someone could develop a "passkey export tool" purely for the purpose of doing credential exchange then local export.
Or are you saying the credential exchange process itself could block providers?
You misunderstood lapcat I think. They wanted Passkeys stored locally exclusively. And they wanted to be able to use them. The issues are not separate.
Not sure how stating that my (an individual) opinions on a topic are evolving is interpreted as "threatened the KeypassXC developers".
If you've been following along, you'll have seen that I am actually one of the biggest advocates of the open passkey ecosystem, and have been working really hard to make sure all credential managers have a level playing field.
Always happy to chat directly if you have concerns!
The threat you relayed was more serious than the threat you made. But it is a threat when a person with influence suggests they may support a punishment.
The biggest advocates of an open ecosystem say attestation should be removed and no one should adopt Passkeys before. Is this your position now?
The concerns were clear I thought. I would be happy to discuss this publicly.
Not really. The attestation model defined for workforce (enterprise) credential managers/authenticators doesn't really work in practice for consumer credential managers.
Avoid weasel words please. Is it possible in theory to use attestation or any other Passkeys feature ever to prevent a user to use any software they chose with any service they chose?
In theory any code could be written at any time that does something good or bad. Sure.
But in reality, the people who actually work on these standards within the FIDO alliance do not want a world where every website/service makes arbitrary decisions on which password managers are allowed. That would be a nightmare.
This is obviously kicking the can down the road, but I "solve" this problem by storing passkeys in a third-party credential manager that supports them. That way I can use them on any device that I've installed the client app or browser extension on. I have this working on Fedora, macOS, Windows, and iOS.
> The passkey vendors state that the goal was to make phishing not just difficult but impossible. This means plaintext access to your credentials is forbidden forever, regardless of your level of expertise, and regardless of the complexity of the process to export/import them.
Care to cite this statement?
> As an Apple Mac user, what annoys me the most is that the use of passkeys in Safari requires iCloud Keychain, which of course requires iCloud and an Apple Account. You can't do local-only passkeys, not even if you take responsibility for backing up your own Mac.
You can use any credential manager you choose. You don't have to use Apple Passwords / iCloud Keychain.
> This is currently being defined and is almost complete.
>> no signed stamp of approval from on high
> see above. Once certification and attestation goes live, there will be a minimum functional and security bar for providers.
Will I always be able to use any credential manager of my choice? Any naturally also includes software that I might have written myself. And would you be in support of an ecosystem where RPs might block my implementation based on my AAGUID?
Unclear how this quoted comment relates to what I was replying to (which was about exporting / backing up your credentials).
But I'll respond.
> Will I always be able to use any credential manager of my choice? Any naturally also includes software that I might have written myself. And would you be in support of an ecosystem where RPs might block my implementation based on my AAGUID?
If a website were to block your custom software's AAGUID for some reason, you can change your AAGUID.
AAGUIDs in the consumer passkey ecosystem are used to name your credential manager in account settings so you remember where you saved your passkey.
Which I would be careful with. I can use any authenticator that the RP accepts. I could totally see a future where banks only allow certain authenticators (Apple/Google) and enforce this through AAGUID or even attStmt. Similar to the Google Play Protect situation.
At that point, those banks/services would enforce vendor lock-in on me. The reality would be: I can use iOS or Android, but not a FOSS implementation. This restriction is not possible with old-school passwords.
Yes, literally from you: "Passkeys should never be allowed to be exported in clear text." https://github.com/keepassxreboot/keepassxc/issues/10407 Also, "You absolutely should be preventing users from being able to copy a private key!"
> You can use any credential manager you choose. You don't have to use Apple Passwords / iCloud Keychain.
But I want to use Apple Passwords. And I do use Apple Passwords for passwords.
What you're saying, in contrast, is that in order to use passkeys, I would be forced to change how I currently store credentials, which is not in iCloud. "You can choose any method you like, except the one you currently like" is a pernicious interpretation of "choice".
You're quoting the first post of a long discussion, where the importance of protecting your data on disk was highlighted, and a proposal was made that at minimum, the default should be encrypting the backup with a user selected secret or key.
> But I want to use Apple Passwords.
You're choosing to use an app that doesn't meet your needs, when there are numerous apps out there that do meet your needs. I'm not sure how anyone is supposed to solve that for you.
> At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.
It feels like this stated minimum is not your actual minimum.
Consider for example a macOS user keychain. The keychain is encrypted on disk with a user-selected password. But once you unlock the keychain with the password, you can copy and paste passwords in clear text. The keychain is not a black hole where nothing ever escapes. And I have no objection to this setup; in fact it's my current setup.
So when you say copy and paste of passkeys in clear text is not a good idea, there's nothing inherent to encrypting credentials with a user key that prevents such copy and paste. There would have to be some additional restriction.
> The purpose of the so-called "secure credential exchange" is once again to prevent you from directly accessing your credentials.
I’ll accept that the attestation parts of the protocol may have had some ulterior motives (though I’m skeptical), but not having to reveal your credential to the verifying party is the entire benefit of passkeys and hugely important to stop phishing. I think it’s disingenuous to argue that this is somehow unnecessary.
> not having to reveal your credential to the verifying party is the entire benefit of passkeys
I think you misunderstood what I was talking about. The credential exchange protocol is for exporting passkeys from one credentials manager and importing them into another credentials manager. It has nothing to do with the relying party.
It's an open protocol, you don't need to use any of the vendors. My Yubikey is a "passkey", so is my Flipper Zero. Keepass provides passkey support.
For the general public, they already rely on either Google or Apple for pretty much all of their digital life. Nothing wrong with extending this to passkeys, it's convenient and makes sense for them.
> It's an open protocol, you don't need to use any of the vendors. My Yubikey is a "passkey", so is my Flipper Zero. Keepass provides passkey support.
I don't want to use a Yubikey. It's a pain in the butt. I just want to use my Mac, with no more damn dongles.
Keepass is a vendor, and one who doesn't even have a Safari extension.
> Nothing wrong with extending this to passkeys, it's convenient and makes sense for them.
I didn't say there was anything wrong with extending this to passkeys. The problem is the lock-in, e.g., Safari requires iCloud keychain for passkeys, but not for passwords. And there is no plaintext export/import, unlike with passwords.
Nobody can convince me that passkeys are good when I buy a Mac and use the built-in Safari but can't even use passkeys to log in to websites unless I give my passkeys to a cloud sync service or have to install some third-party "solution" (for a problem that should not exist in the first place). That experience is so much worse than passwords.
All of the 3rd party credential managers I’ve used that support passkeys work with safari, and through the APIs that Apple offers the credential managers you can even pick your default CM and never think about iCloud again…
> How many people would jump ship with Reed Hastings if you excommunicated him
By people do you mean voters or donors?
I suspect that approximately zero voters would care.
> which are the Republican voters who would be swayed to replace (and hopefully more-than-replace) them?
This is a false dichotomy. At this point, Republicans cannot be swayed by anything. Trump just said that Rob Reiner was murdered because of "Trump Derangement Syndrome". It's impossible for him to lose his loyal followers, no matter what he does or anyone else does.
Both major political parties are extremely unpopular among nonpartisans. They plug their noses and vote, if they vote at all. In the 2024 Presidential election, 37% of eligible voters voted for neither, mostly for nothing, whereas only 32% of eligible voters voted for Trump. Swing voters and nonvoters are not necessarily "moderate". That's a myth. They're nonpartisan, which is not to say that they're "between" the two parties. Many of them hardly even pay attention to politics. There's a lot of room to appeal to people who are disaffected with the system.
The most popular politician in the US is Bernie Sanders. And the reason is that he's the most popular politician among political independents. He's not the most popular politician among Democrats (which is why he lost the Democratic nomination), and obviously he's not the most popular politician among Republicans, but across the whole spectrum, he's more popular than anyone else.
It's also important to note that it wasn't until after the Reagan Presidency (and arguably due to its policies) that the ultra-wealthy came to monopolize most increases in personal income, so populism itself wouldn't have been as popular in the 1980s as it is now, as economic disparity has grown unabated in the decades since.
> By people do you mean voters or donors? I suspect that approximately zero voters would care.
I doubt anyone's polled this specific question, but I would encourage you to calibrate against voter support for, say, capitalism. Guess how many Americans support capitalism, look up the polled number, and see if it surprises you. Perhaps no voters would care about a personal vendetta against one or two specific people, but a lot of voters would care if Democrats took the position that capitalism is bad and we've got to fight it.
> This is a false dichotomy. At this point, Republicans cannot be swayed by anything. Trump just said that Rob Reiner was murdered because of "Trump Derangement Syndrome". It's impossible for him to lose his loyal followers, no matter what he does or anyone else does.
This is, again, an analysis that doesn't make much sense when you recognize that coalitions are not static. A number of Trump voters voted for Obama in 2008, felt for some reason or another that they had to "plug their noses and vote" for Trump, and will end up voting for whoever the next Democratic president is. One of the key reasons Sanders is relatively popular among non-Democrats is that he gets this and messages accordingly; his argument is never that some large group of voters is bad or unreachable, always that they've been tricked.
I personally think anyone who could ever vote for Trump is a terrible person, and would never be willing to solicit or rely on their support for anything, but that's why I'm not a politician.
> Guess how many Americans support capitalism, look up the polled number, and see if it surprises you.
Guess how many Americans support Medicare For All, look up the polled number, and see if it surprises you.
None of the populist Democrats that I'm aware of have run on abolishing capitalism, not even self-described socialist Bernie Sanders. Not Mamdani either. It's just a question of how much of a role we allow the government in the capitalist system, how much regulation, and how many public services. Nobody thinks that the US is a socialist or communist country because we have the US Postal Service, for example, or a public military. Socialized medicine would not make the US non-capitalist either, any more than it does it Canada or Europe.
> A number of Trump voters voted for Obama in 2008
Yes, but they're obviously not Republicans! They're swing voters. Thus, what I said in your quotation of me does not apply to them. In 2020, Biden won swing voters, whereas in 2024, Trump won swing voters. They swing from one side to the other. They're not partisan, not loyal to a party or a person. This was my point: you can't move Republicans, but you can move independents, and there are actually a lot of independents.
In one year of "governing", Trump has already lost many independents. He's much more unpopular now than he was on election day. The ones who remain supportive are the loyalists. Last I checked the polls, over 85% of self-identified Republicans still approve. (And non-approval doesn't mean they wouldn't vote for him again, or would vote for a Democrat as opposed to not voting or voting for a right-wing 3rd party candidate.)
> Guess how many Americans support Medicare For All, look up the polled number, and see if it surprises you.
I predict that it's a large majority, >60%, and am unsurprised to see a poll saying 65% (https://www.dataforprogress.org/blog/2025/11/medicare-for-al...). As with universal background checks, the challenge is not coming up with a slogan that gets lots of support but refining it into a concrete policy proposal without losing too much.
If you were following politics during the Obama presidency, you'll recall the "you can keep your plan" saga, where a number of voters expected that healthcare reform shouldn't affect which doctors they can see or what coverage they have, a standard which even the ACA couldn't meet and no Medicare For All proposal could even approach. Another big problem is that the American Medical Association opposes Medicare For All, and people generally trust doctors more than politicians about healthcare.
> Yes, but they're obviously not Republicans! They're swing voters. Thus, what I said in your quotation of me does not apply to them. In 2020, Biden won swing voters, whereas in 2024, Trump won swing voters. They swing from one side to the other. They're not partisan, not loyal to a party or a person. This was my point: you can't move Republicans, but you can move independents, and there are actually a lot of independents.
Again, this is something where I'd encourage people to put themselves in Chuck Schumer's shoes. If you applied this attitude in the 1980s, you'd have to conclude that Democrats should simply give up on trying to win the presidency; there aren't enough swing voters, the Republican candidate keeps winning in blowouts, and certainly there's no point trying to compete in solid Republican states like California. If you're behind right now and want to start winning elections, you simply can't start from the premise that anyone who identifies with the other side is unreachable. It's true that the Republican candidate will always win the vast majority of self-identified Republicans, but the size and shape of that set can be greatly influenced by political strategy.
> I predict that it's a large majority, >60%, and am unsurprised to see a poll saying 65%
Yes, and I don't think I'd be surprised about how many Americans support capitalism. I generally support capitalism.
> healthcare reform shouldn't affect which doctors they can see
> no Medicare For All proposal could even approach
Of course you couldn't keep your plan but why couldn't you keep your doctor when all doctors would be under the single government plan? It's not like the public loves health insurance companies.
> the American Medical Association opposes Medicare For All, and people generally trust doctors more than politicians about healthcare.
This seems like an equivocation. People don't necessarily trust doctors about politics. Moreover, trusting your doctor is not the same as trusting the AMA.
> Again, this is something where I'd encourage people to put themselves in Chuck Schumer's shoes.
Never.
> there aren't enough swing voters
Why in the world would you conclude that in the 1980s?
You know, Jimmy Carter did win in 1976, and was pretty close in California despite losing. (Carter had already become so unpopular in 1980 that he was primaried by Ted Kennedy, before he faced Reagan.) Dukakis was also pretty close in California. It's crucial to note that Ronald Reagan was the Governor of California, and Richard Nixon was Senator from California, so they had home state advantage there. Even poor Mondale won his home state of Minnesota. And note that California had a Democratic Governor (Jerry Brown) in 1980.
> If you're behind right now and want to start winning elections, you simply can't start from the premise that anyone who identifies with the other side is unreachable.
I would submit that 2020s Republicans are not 1980s Republicans. After decades of right-wing media indoctrination, Republicans are now detached from reality and believe all kinds of crazy things. Approving of Trump after everything Trump has said and done is not even remotely the same as approving of Reagan.
> society has been caught with its pants down by the speed of innovation.
Or rather by the slowness of regulation and enforcement in the face of blatant copyright violation.
We've seen this before, for example with YouTube, which became the go-to place for videos by allowing copyrighted material to be uploaded and hosted en masse, and then a company that was already a search engine monopoly was somehow allowed to acquire YouTube, thereby extending and reinforcing Google's monopolization of the web.
Innovation has always been faster when copyright is lax. The US was copying British and other European inventions during the industrial age left and right, and their economy took off because of it.
False accusations of AI writing are becoming absurd and infuriating.
The other day I saw and argued with this accusation by a HN commenter against a professional writer, based on the most tenuous shred of evidence: https://news.ycombinator.com/item?id=46255049
> the article whose provenance you are defending is clearly LLM-“punched up” at a minimum.
I'm not even going to ask for your evidence, because the previous argument I had was a frustrating waste of time that ended with insane reality denial by the other party: "Textbooks don't contain section headers every few paragraphs." https://news.ycombinator.com/item?id=46256470
I encourage you to read through the entire argument, though, and see how the AI accuser makes false empirical claims and generalizations at every step, constantly moving the goalposts whenever I presented disproof.
Making money? Geez, you’re an optimist and that’s a good thing. I wish I had made money. My foray into publishing was the most expensive career I have ever had.
I may be in the minority, perhaps even a minority of one, but I disagree that publishing a blog is worthwhile even if nobody reads it. I honestly don't understand the point. Write a diary for yourself if you want, fine, but what exactly are you gaining by putting it out there? It's even worse if you have to force yourself to do it, which appears to be the case here. Force yourself to exercise every day, because that's good for your physical health, but is blogging good for your health?
Writing in public is performance art. Some people are naturally performance artists and need to perform to satisfy some internal urge. If you're not one of them, don't let anyone else convince you that you need to be one. It's ok to not blog. The idea that everyone should have a blog is completely unjustified.
I read another comment that said you should write blog posts at least once a week. That sounds a lot like a job. An unpaid job at that. Forget this silly peer pressure.
You definitely are in the minority - of minus one. :)
Between diary and blog, a blog is the better option, because it has all the advantages of a diary, but also the potential upside of publicity (if you want it).
How much publicity have you received? Be careful what you wish for. It's crucial to note that publicity brings a number of potential downsides. For example, close to home, Hacker News commenters will totally trash you, whether you deserve it or not.
> This shouldn't be controversial. Height is well-known to be heritable.
I don't understand why so many commenters here are arguing against a straw man. The article author does not and never did believe in the "blank slate" theory. The author has a "centrist" view that genes matter but are not the only determining factor.
I was responding to the previous comment, not so much the article.
> The author has a "centrist" view that genes matter but are not the only determining factor.
Nobody thinks genes are the only determining factor (that's a straw man on the other side :)
Most people agree it is somewhere on a continuum. Some people think it leans more one way; others the other way. Some people want it to lean more one way; others want it to lean more the other.
> I was responding to the previous comment, not so much the article.
How so? You said, "This shouldn't be controversial. Height is well-known to be heritable. Being tall gives you a better shot at making the NBA. The same is true for many other things." But there's no indication that the previous comment was arguing the opposite of that. Rather, the previous comment was arguing against this idea: "Surely success and intelligence is just an inborn thing, and thus inevitable and unchangeable. There’s nothing they can do, and it was always going to end up that way. Inevitability erases any feelings or guilt or shame."
I said quite a bit more than what you quoted. And I find your interest in my comment and why I made it... odd.
I'm sorry if I didn't get my point across in a way that satisfies you. But I suggest you take a step back and re-read what both of us wrote. Or maybe just move on.
The author questions whether genes are a meaningful factor, in the large, and comes down against it. I don't think that makes them a centrist; I think they're just rejecting a caricature (the "blank slate") laid out by people strongly invested in the idea that intelligence is determined genetically.
> At 30%, one does observe a faint correlation between genetic potential and IQ. The correlation becomes clearer at 50%, while remaining quite noisy. This is an essential aspect to keep in mind: 50% may sound like a solid heritability figure, but the associated correlation is rather modest. It’s only at 80% that the picture starts to “feel like” a line.
My understanding is that the author thinks the heritability of IQ is somewhere between 30% and 50%, but not 80% or 100%, and not 20% or 0%.
> It’s not that surprising that many successful people seem to be strong fans of heritability, or more broadly, of the idea that metrics like IQ point to some sort of “universal independent” metric of value. To do otherwise requires living one’s life in cognitive dissonance; how could they be worthy of such riches while others struggle to just pay the bills? Surely success and intelligence is just an inborn thing, and thus inevitable and unchangeable. There’s nothing they can do, and it was always going to end up that way. Inevitability erases any feelings or guilt or shame.
I've never understood the idea that winning the genetic lottery somehow makes a person more "deserving" or "worthy" than another. To me, the whole idea of "meritocracy" is a moral abomination.
> It seems natural that those that do valuable things get rewarded a lot.
I'm not fond of the term "rewarded." I understand how prices are determined by supply and demand in economics. Obviously in the labor market, some skill that is in high demand and/or short supply will bring a high price. However, economics are largely amoral. The economic system is not an ethical system to reward the worthy and punish the unworthy, just a method of distributing resources.
There's both an uncontroversial and a controversial interpretation of "meritocracy." Uncontroversially, those who are best qualified for a job should do that job, especially for life-and-death jobs like in medicine. This is how the argument usually starts, with the uncontroversial interpretation, but then it slyly shifts to the controverisal interpretation, that certain people "deserve" more money than others, often a lot more money, due to their qualifications. And while we may want economic incentives for the most qualified people to persue certain jobs, overall it doesn't appear to me that the economic incentives align with societal benefit. For example, we massively reward professional athletes and entertainers much more than doctors and nurses.
Ultimately, the controversial notion of meritocracy is used to justify enormous disparities of wealth, where a few people have so much money that they can buy politicians and elections, whereas others are so poor that they have trouble affording the basics like food, shelter, and medical care. And supposedly that's all based on "merit", which I think is crap.
> The question never was about whether or not genetic differences contribute to the spread of intellectual talent—they obviously do. The question always was about the “interesting place” Paul Graham talked about, the meaningful space between genetic potential and actual achievement, and whether or not it really existed. And, at 30% or 50%, this place surely exists.
"Heritability", strictly construed (as is the case in every study establishing heritability numbers) isn't necessarily a description of a "genetic lottery" at all. Plenty of things are highly heritable and not at all genetically determined, and the converse is also true!
That heritability doesn't cover all genetic factors. E.g. out of 100% of IQ variation 50% might be inherited, but that doesn't say that the rest is nurture, right? It can still have a huge factor of genetic lottery. E.g. isn't heritability the mean of the genetic effects, but there's also the rest of the distribution (std. dev)?
Exactly. The passkey vendors state that the goal was to make phishing not just difficult but impossible. This means plaintext access to your credentials is forbidden forever, regardless of your level of expertise, and regardless of the complexity of the process to export/import them. The purpose of the so-called "secure credential exchange" is once again to prevent you from directly accessing your credentials. You can go from one passkey vendor to another, but you're always locked in to one passkey vendor or another.
Any credential system that makes it impossible to write something down on a piece of paper, take it to a new computer, and login to a website is just a gateway to vendor lock-in. You can manually manage your own ssh keys but for some reason not your passkeys.
As an Apple Mac user, what annoys me the most is that the use of passkeys in Safari requires iCloud Keychain, which of course requires iCloud and an Apple Account. [EDIT: Obviously I'm talking about built-in support. I'm well aware of third-party software, so everyone can stop replying to this now, please!] You can't do local-only passkeys, not even if you take responsibility for backing up your own Mac.
The passkey vendors took some good theoretical ideas, such as site-specific credentials and public-key cryptography, and totally mangled the implementation, making it hostile to everyone except themselves.
reply