Everyone always says this, but it's always just a hope. And given the history of the FIDO Alliance standards on backing up keys, and given the players involved, I think it's reasonable to say that people just straight-up should not use passkeys until it's not a "hope" and backup/migration actually works as part of the standard itself.

Note that this doesn't mean:

- Migration is allowed but not mandated. Migration must be built into the standard or else vendors will eventually introduce lock-in in the future under the guise of security. It can not be optional.

- Migration is allowed through special contracts using some locked-down behind-the-scenes company-to-company transfer. I need to be able to sit down on my Linux computer with an Open Source piece of software that I compiled and I need to be able to move the keys from my iCloud account to that software.

I want to assume good faith from the FIDO Alliance standards, but some of the messaging around this has been straight-up deceptive. 1Password advertised itself as solving the portability problem, but last I checked it doesn't. 1Password is device agnostic but does not allow exporting your passkey information to another account.

I've run into so many scenarios where advocates straight-up misrepresent what portability means that I now give really specific tests instead, because otherwise the conversation doesn't go anywhere. I keep running into advocates that tell me "it's usable today" and in the same breath tell me "it's early days, we'll get to the portability stuff later."

So the specific criteria is: if I can't compile my own software on a Linux computer and move my "keys" or whatever authentication mechanism is tied to that account into that software as a single operation without logging into and re-validating every single account individually or adding another authentication mechanism to each account, then it's not portable and I'm not using it. It needs to specifically allow for that, and there needs to be a real working Open Source project that I can run today that allows it. Otherwise, it's not actually portable today. Furthermore, if I do compile my own software and move in those keys and then I go to log into a website and a service refuses to let me log in because I've failed a hardware attestation check and I need to use an Apple device to log in -- then it's not portable. That cannot be something that the spec allows or encourages, or it's not actually portable.

But (and as always, I would be thrilled to be proven wrong about this) the spec itself allows for that kind of behavior with hardware attestation with basically no downside other than a "please be a nice company and don't do this" warning, and noise from the FIDO Alliance advocates I've seen online is that they don't want to mandate a specific migration format in the spec or make migration a requirement for companies that want to advertise that they implement Passkey; they want to leave that process up to individual companies under the "hope" that those companies will do the right thing.

I'm not just not adopting Passkeys, I'm actively discouraging adoption of the standard until that's fixed. I'm not signing into a locked-down ecosystem under the hope that it might become more open later in the future, maybe. There's a version of Passkeys that I would be excited about and that I would build support into my projects for, but it's not the version that exists today.