If you are truly paranoid that your major device accounts are subject to termination without recourse (which if that happens you generally have lots of other problems and should maybe cause you to rethink your other trust relationships with such vendors and which devices you are buying), you can build your own Passkeys with WebAuthn standards and roll your own recovery/backup strategy. (Most FIDO compatible WebAuthn keys already work today anywhere Passkeys are supported, Passkey is just the "brand name" for those standards plus a soon-to-be-standard Bluetooth LTE handshake plus Vendor-guided backup and recovery plus whatever cross-device ecosystem "interop" standards the Big 3 eventually settle on.)
If this is the case, then maybe there will be some solution through Google Takeout. Apple and MS seem less interested in this, but if one of them can generate an export, I can see services appearing that can work with that exported data.
> you can build your own Passkeys with WebAuthn standards and roll your own recovery/backup strategy.
This....or I can stick with passwords, print them out annually and put them in my fire safe. The KISS principle works here, and I can't imagine a non-techie person who works in a socially-risky field being able to do so.
> If you are truly paranoid that your major device accounts are subject to termination without recourse (which if that happens you generally have lots of other problems and should maybe cause you to rethink your other trust relationships with such vendors and which devices you are buying)
Complaints by users who have Big 3 cloud accounts closed for unspecified "violations" are common enough to make it a concern. I take other protections against something like this, but I absolutely do consider it a risk, and would generally advise people not to keep all their digital services under one roof. If you use Gmail for email, then use Microsoft or Apple for Passkey, Bitwarden or 1Password for Password Vaults, etc., etc.
So far as I'm aware none of them are planning key exports any time soon. Keeping keys to the various secure enclaves of user's devices is a key part of the security footprint they are trying to establish. That's why multi-key enrollment is the base case in all Passkey systems: recovery, multi-device support, etc all hinge on continuously expiring old keys and auto-enrolling new ones. There's no export, and cloud backups aren't "backups" but different, Vendor escrowed keys (often themselves in hardware cloud secure enclaves that cannot be exported, only new keys added to keychains) and ways to attest for (sign) new keys in recovery situations.
As I said way above, the theory is that enrolling all of your devices and all of your top-level recovery accounts will be easy and convenient enough on every website, not just your bank (given how many banks still don't even support proper TOTP, hopefully better than some banks today), and enough so that everyone does it by habit. I agree, there's huge practical risks that someone gets it wrong and there's all sorts of ways what should be easy turns into complicated soup that never works right. That's the brief glimmer of hope here offered by the Big 3 alliance on this and making it a major marketing endeavor. They've put a lot on the line for this.
> This....or I can stick with passwords, print them out annually and put them in my fire safe. The KISS principle works here, and I can't imagine a non-techie person who works in a socially-risky field being able to do so.
The hope is that with the Big 3 all in agreement here on passwords needing to be entirely replaced and the only way that happens is if what replaces them is as easy and uncomplicated as possible for non-technical to use every day, Passkeys will see strong implementations everywhere and that cross-vendor multi-device interop will be strong enough for everyone to rely on (even if you distrust one or all three of the Big 3).
> Complaints by users who have Big 3 cloud accounts closed for unspecified "violations" are common enough to make it a concern. I take other protections against something like this, but I absolutely do consider it a risk
I consider it a risk too, but as with all things security every risk needs to be evaluated within the template of a larger threat model. Email is already the de facto chokepoint for recovery of almost any account (and passkeys don't necessarily change that, "Forgot Password" flows still probably exist in passkey worlds, just differently). You have a ton of eggs in whatever basket is your email provider (and for the majority of people often one of the Big 3). Phones are already the de facto chokepoint for account access (whether because of TOTP or single ecosystem "apps" or all sorts of other lock in mechanics). Passkeys don't substantially change these existing deep trust relationships (and weren't really designed too), most people in most threat models the amount they are trusting their various relationships with the Big 3 doesn't substantially shift with a switch to Passkeys. (For good and bad. Absolutely some people are underestimating exactly how much they trust one vendor or another and how much they have to lose if their account is suspended for any reason without warning or easy recourse.) (Your threat model is your own and will vary, of course.)
On top of that, other vendors will be playing ball in this space. Mozilla isn't a direct part of the "Passkey Alliance" but has stated their interest in Passkeys and cross-platform/cross-device interoperability. There will be more, too, over time. Possibly enough paranoid people will roll their own that good self-hosting and open source options will roll out eventually, even if most people won't use them and most people won't need them in their personal threat models, having more options is always a good thing (and Plan B if your threat model changes for any reason). All of this is in a cloud of enough open standards that vendor lock-in, while maybe not impossible, should be unlikely.
You are right to be worried. You are right to be questioning all of this. I appreciate your concerns here (I know I have an uneasy relationship at best with at least one of the Big 3 myself). I hope I've offered at least some reasoning on where some of your concerns may be mitigated by the ecosystem as a whole.
Honestly, if they don't, they may find themselves under significant government regulation. The DMV in most states is hard to work with, but they work with everyone, regardless of disability, felony record, reprehensible views, everyone. If we're going to allow these companies to take this authoritative role in our systems, they should necessarily lose the right to refuse service. If they don't want that trade-off, then they should hand the whole thing to login.gov and other Government Identity schemes.
The best hinge point I would use in conversation with these players is to plan for third-party access from the beginning. Systems like Lastpass and Bitwarden have built robust systems for emergency access in the event of hospitalization or death. They've done so because its needed, often. If the Big 3 commit to allowing some access-for-transfer-out when accounts are closed or access is lost, even in non-ideal situations, that would go a long way.
How will Passkeys work for users who don't have or want a smartphone? There are plenty of people who carry no electronic devices on their person, and who primarily access the Internet through library access stations, other public Internet services. or multiple desktops. Will they be unable to use a site that is passkey-auth-only until they get such a device?
I think the immediate answer is that something like a Microsoft Account-based login system and Cloud-based key escrow becomes more unavoidable in situations like that. But I'm not sure and hopefully there are smart minds exploring some of these scenarios in the long term. Relatedly, I know there are some long-term creatives trying to figure out if "smartphone" is becoming a required utility for the modern world (TOTP has already made that a recently strong requirement in plenty of areas; soon you may not be able to bank without a mobile device, for instance) and the "phoneless" may be its own evolving economic crisis on top of homelessness to deal with in the long term. "Give everyone phones" may sound like a curt, dumb answer, but it may end up being something close to the answer; go to your local DMV and get a secure phone as your digital ID to go with your physical ID. I don't know if that is the plan, I just know it is a plan I've heard we need to consider, that "baseline personal hardware" may be an ever-increasing need.
