Passkeys and Modern Authentication

What do security professionals think about passkeys? In particular, those who were not involved in designing them. Lots of the arguments in this article feel very much like the sort of thing one would expect from someone into open source (not saying they are wrong, and I think they are well explained here) but I feel they will inevitably be the product of different concerns than those a security practitioner might have.

Security people are generally pretty positive on Passkeys. Eliminating passwords has been the white whale of information security for over 3 decades. Practitioners are generally positive about FIDO2 (Yubikeys are fetish objects for them). I think message board people would probably be surprised at security practitioner attitudes towards Apple and Google authentication lock-in (locking my team into Google authentication would be one of my first moves at a new firm, and that's not an idiosyncrasy of mine so much as me doing what other CISO-types all say they do).

> I think message board people would probably be surprised at security practitioner attitudes towards Apple and Google authentication lock-in

We're not surprised, but I think many of us are horrified. I think it's a culture clash, partly between Free Software and Enterprise communities, partly between developers and security professionals. Given that it's a culture clash, I don't actually see any resolution that will make everyone happy.