I, too, "value your privacy" but unlike most I think it is priceless and fundamental. Privacy Policy

WebAuthn vs. Interoperability

published on 2025-10-29T16:43:16Z, last updated on 2025-10-29T16:43:16Z

WebAuthn, also marketed as passkeys for a subset of it, is something that seems rather scary to me from an interoperability perspective.

Not only it's a lock-in in terms of authenticators, it's also a lock-in to Chrome/Firefox/Safari.
Wanted to use an alternative browser? Nope.
And you can probably forget using it on embedded devices outside of Android/iOS.
Wanted to authenticate to a service on your e-reader? Nope.

But there's also the issue of authenticating from non-browsers such as native applications, granted a lot of them use OAuth tokens or similar but there's a sort of bootstrapping problem in systems where you don't have a full-blown mainstream browser.
(And good luck copying the OAuth token from one device to another)

And the design of WebAuthn means you can't copy the generated token into a text field, unlike TOTP (sometimes branded as things like Google Authenticator) which has none of those issues while still allowing to use hardware tokens.

You could argue on usability, WebAuthn is likely friendlier to most when you follow the intended path thanks to browser-integration. But not due to the underlying WebAuthn properties which instead causes problems, and ones that you're likely to discover the hard way: Getting the authenticators you use revoked; Not being able to authenticate on some devices; Backups being harder; …

Fediverse post for comments