Passkey is nice. The math is nice. The tech is nice. https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html
What I still dont see after sooo many hours: what software creates the passkey. User autonomy is important and it is a (private) key question (pun intended). I do not really see this answered anywhere.
Of course it is created on the device. But is it the pass manager or the operating system? It should be the pass manager, since we store our secrets in a pass manager that we trust.
I am not hostile to Apple, Google, Microsoft (or Linux), I use the Google Pass Manager btw. But it should be a choice and if you choose an open source pass manager (which I might in the future), it should create the key pair (and with it, the secret private key).
However, it seems to me that pass managers may only get API from the os and the os creates the keys as of now. Practically as of now, 3 US companies would create all the secrets of the world in the future? https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys
Another thing I cant get my head around: A passkey requires a pass manager. Should domain service providers (relying party) let users that do not use cross platform pass managers create passkeys on Apple, Google, Microsoft (later on Linux) and so having secrets in 4 pass managers eventually.
Or just let them create the one and only passkey (until deletion or change) and it is the responsibility of the user (and actually AGML) that they can sync THE passkey cross platform? And how will this happen? Export, encrypted export, magic?
Since this is crypto exchange: does it matter whether OS or pass manager creates the secret key? Does the OS not see everything anyways? (and store and send to anywhere)
