I fully expect that as this tech becomes popular enough for web sites to adopt, we’ll see passkeys (or some non-Apple-trademarked version of the same tech) supported by these other platforms. Either as a part of web browsers or by Windows/Linux/Android system software.

As for switching back to passwords, like any web service, that will depend on how the particular web site operator configures everything. Some sites will be easy, some will be hard, and some may be impossible.

That’s a far more interesting question. We’ll have to see how the actual implementation works.

With OpenSSH, your public/private key pair exists as a pair of text files in your ~/.ssh directory. You can copy these files to any computer running OpenSSH or a compatible system.

Hopefully FIDO will come up with some kind of standard interchange file that Apple can export and other platforms can import. From what little I’ve read so far, that appears to be an area still under development, so moving passkeys to non-Apple equipment (that is, exporting them from the Keychain in a form that other platforms can import) may not be possible with the initial release, but hopefully Apple will implement it when it is developed.

I looked the show notes and his main argument against FIDO2 and the Passkeys Apple implementation of it is that it isn’t designed well enough in his opinion. He agrees that from a security standpoint it is just fine but offers himself as one example of the many people who need to operate in a cross platform environment. He explains that both approaches are secure but that FIOD2/Passkeys don’t have any inherent cross platform capabilities such that a user can get their…authentication tokens for lack of a better word…easily transferred between Apple’s ecosystem, Android devices, Windows, Linux, Solaris and whatever else one needs to use. He chooses to use an iPhone and iPad for his personal devices because of whatever reasons he chose them…security, ease of use, look and feel, integrated system…he’s probably detailed in the past why he made those choices but the reasons aren’t material. He needs to use Windows for his work because he writes software designed to run on Intel platforms and writes in Intel Machine Language which requires a Windows environment.

He thinks…and he’s most likely right…that none of the major players signed up for the FIDO2/Passkeys alliance will implement cross platform sync. Apple uses iCloud for theirs which works fine for Apple hardware but is Apple going to supply sync to Android or Windows or Linux? Probably not. Similarly…Microsoft or Google or whoever isn’t going to provide sync outside their ecosystem either.

This…in his opinion and again I agree…makes the FIDO2/Passkeys system not designed well enough as compared to a system that provides cross platform sync capability. I also think that he realizes…and knew it all along but was hoping to have it adopted into the other standard since it was released as open source…that SQRL is not going to be widely accepted because the whatever it is that Apple, Google, Microsoft, et. al. bought into has a critical mass behind it.

Frequently better is the enemy of good enough…and I’m sure he knows this as well. Yes…he touts in the podcast that SQRL is better designed because it is cross platform but he does say that both are better than the userid/password system used now. SQRL has it’s drawbacks as well…such as not working for multiple accounts at the same domain…and he might not have thought about that when he was designing the system…but I would bet that it could be adde to so that multiple accounts at the sam domain would work just fine. I believe that way back when he first started thinking about SQRL FIDO had either just been announced or was in the rumblings stage of development…and that he saw the drawback of a system that had no cross platform sync and headed off to build a better mouse trap…and just missed or didn’t think about the multiple account issue.

He never expected to make any money off of his work…he’s said in the past that it was always going to be open source and hoped that it would be used to make the final solution better.

I haven’t seen the Steve Gibson talk, but I will note that Apple, Microsoft, and Google made a big deal about the cross-platform aspects of Passkeys. It may not be there today, but they’re all saying it’s being built into their platforms over the course of the coming year.

In particular:

Today’s announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins:

  1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to reenroll every account.
  2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method.