Sorry 1Password, I dropped out of your subscription, when you decided to move it to the cloud. I won’t share my 200 passwords in the cloud, because if the platform gets hacked I and my customers are lost completely being an IT Professional dealing with many operational related passwords, where you could do harmful things.
The nice one about passkeys is, that the private key does not leave your device. The security issue is, that it does it nevertheless, because it is synced through your provider. The first thing Google asked me to activate was keychain synchronization on my iPhone.
So the security downside:: can the FBI or the CIA force the providers to offer the private keys synched over their platforms? Even if they cut my finger or fake my FaceID, can they actually get access to all sites, where I use passkeys? You didn’t answer that. And we know your national security knows no limits on privacy even in courts.
While I still believe, that passkeys are a relieve to many consumers out there and it will protect them very reasonable against phishing, I wonder how we get it to work in production environments, where I would like to have passwordless also. Imagine a workshop where ten people use the same ten laptops to do diagnostics on cars in ten boxes between they switch? How do I register ten passkeys on ten devices for one company application that does car diagnostics? Any solution to that problem?
Nevertheless it was a great show and I really hope, passkeys make the world for normal users/customers so much more secure and easier to use. Still as a non normal user I have some security and usability issues. Hope you get the points here about cyber security for IT professionals and enterprise use cases.
Thank you very much for the great show!

You discussed the marketing and the rollout of passkeys a lot. What I see as a potential danger is, that as soon as a majority of users begin to trust passkeys as a „quality“ measure of a website and associate this with trust, we will see, that a lot of organized criminality web sites will adopt to that and will fake to be more trusted than they are.
If you can’t use passkeys for phishing, because the passkey is bound to the trusted web site, would there be a way to prevent the use of passkeys on a list of blacklisted web sites known to be criminal and scamming users? That would give me even more trust. It will not prevent scamming on the internet, but it could shorten it in time being successful and add some more effort to criminals, because users might feel uncomfortable, if they have to change the domain every to week to reregister their passkey…
This could help in reducing scamming of users. What do you think?

The courts have ruled that you cannot be compelled to give up something you know (password, pin) to unlock a device - self incrimination. If you lock all your passkeys (or passwords) with something you have - fingerprint, face unlock, you can be legally compelled to unlock your vault. So, if for any reason you find yourself involved in a court case you will be handing over every account access for discovery to the prosecution.