The way apple implemented things is great, no argument there. Others need to tech note. But the same thing could have been implemented without requiring device/iOS lock-in. I don't care to malign apple, but alternatives need to work as well, and as smoothly as apple passwords and passkeys, without the corporate malice.

> I would not bet against Apple's security failing.

I wouldn't either, but now the same tech is going to be used by everyone, and Apple's goal of vendor-lockin succeeds. Their security isn't in question, their malicious and anti-competitive practices are. They are secure, and it works well. You're also tied into their ecosystem, and devices. they collect information that isn't necessary for their products to work well, and securely. You can't fault them for being greedy, they're not particularly worse in that regard, but industry needs to standardize better alternatives that work well, without the whole "you have to trust apple, and it's okay that they lock in people to their ecosystem" angle.

If authentication requires the website/app to demand anything that can only be obtained on an apple device, that is a user hostile and anti-competitive feature. What confounds me is that Apple has a strong user-base, doing this the right way doesn't cost them much. Making a user friendly authentication protocol that works without attestation and hardware-lockin doesn't hurt them. They don't need to play dirty and lockin users, their fanbase is already strong. They're just being greedy for that extra 0.001 increase.

If you have a password manager, 2FA is pointless anyway. Password manager already serves as two factors: possession of the database and the secret to decrypt it. 2FA is a mitigation against people getting pwned by reusing passwords or using bad passwords. Neither of which applies if you use a password manager. You can use the TOTP feature in KeepassXC for when it is useful.