This is not high on my list of concerns about passkeys.
I worry about attestation, vendor lock-in, the spec process, etc... but (if attestation isn't a huge issue) easier account creation is not a huge deal because multiple-account creation will also get a lot easier.
If a system is requiring your passkey plus a metric to verify your identity (again, assuming attestation doesn't become a problem), then they're already in a position where asking for your email is not a big deal. So I don't see how passkeys change anything for them.
On the other hand, any account that would have asked for my email before now doesn't have to. And if attestation goes well and Apple continues rejecting it for roaming providers, they won't get any information other than my login credentials. I have disposable email addresses, but most people don't. Getting rid of a factor that essentially forces them to only have a single account with a service and makes it easier to track them across services -- getting rid of that is a good thing.
There's tons to be worried about with passkeys, but this is not something that worries me. What worries me is if attestation pushes its way into the roaming provider implementations and suddenly I can't create an account on a rooted phone anymore. But getting rid of extra verification/identity steps would be good for users and good for privacy. It would be great if I could sign up for a service just with a key and without an email address.
I worry about attestation, vendor lock-in, the spec process, etc... but (if attestation isn't a huge issue) easier account creation is not a huge deal because multiple-account creation will also get a lot easier.
If a system is requiring your passkey plus a metric to verify your identity (again, assuming attestation doesn't become a problem), then they're already in a position where asking for your email is not a big deal. So I don't see how passkeys change anything for them.
On the other hand, any account that would have asked for my email before now doesn't have to. And if attestation goes well and Apple continues rejecting it for roaming providers, they won't get any information other than my login credentials. I have disposable email addresses, but most people don't. Getting rid of a factor that essentially forces them to only have a single account with a service and makes it easier to track them across services -- getting rid of that is a good thing.
There's tons to be worried about with passkeys, but this is not something that worries me. What worries me is if attestation pushes its way into the roaming provider implementations and suddenly I can't create an account on a rooted phone anymore. But getting rid of extra verification/identity steps would be good for users and good for privacy. It would be great if I could sign up for a service just with a key and without an email address.