> It appears that the spec authors do not consider the keys to be owned by the user at all.

This was my impression, and it explains why the original announcement involved companies that would benefit the most from keeping their users on a leash.

Agreed, unfortunately.

Passwords are easy to understand, transparent and portable, and when used with good hygiene (always using password manager and generating unique & strong passwords for everything) there isn’t yet a strong case for anything else.

Shafting open source projects that implement your spec is not okay, and is terrible optics.

Tech journalists should ask the FIDO Alliance if they’re just Google+Apple+Microsoft in a trenchcoat. Definitely not very open!

How do you even ban something like KeypassXC given that it is open source and any end user could basically edit KeypassXC and bypass a ban?

Edit: Reading one of those issues it sounds like they want the keys stored in an encrypted way, is that too much to ask for? I dont care about viewing it but it shouldnt be stored in a plain easy to open JSON.

They don't consider the key to belong to the user. The key is a token generated by the site to allow it to identify a user. In order for them to do perfectly so they do not want users to be able to tamper with them, leak them, or do anything which might violate their assumptions about the key.