You mean like acceptableads.com which is only supported so far by Adblock Plus (and its parent company)?

The problem is until there is some kind of penalty for being too annoying or too resource consuming, it will always be a race to the bottom with more, worse ads. As people add ad blockers to their browsers, the user pool that isn’t running them begins to dry up and more ads are needed to keep the same revenue. This results in even more people blocking them.

Two of the things I had hope for on the privacy side was Mozilla’s Privacy-Preserving Attribution for ad attribution and Google’s Privacy Sandbox collection of features for targeting like the Topics API. Both would have been better for privacy than the current system of granular, individual user tracking across sites.

If those two get wide enough adoption, regulation could be put in place to limit the old methods as there would be a better replacement available without killing the whole current ad supported economy of most sites. I get that strictly speaking from a privacy perspective ‘more anonymous/private tracking’ < ‘no tracking’ but I really don’t want perfect to be the enemy of better.

While the defaults are typically to use what the browser or OS has for storage and sync of the passkeys, you can use other things.

Like KeePassXC:

keepassxc.org/blog/2024-03-10-2.7.7-released/

As for attestation to how the key is stored securely (like in a hardware key), Apple’s implementation doesn’t support it for iCloud ones, so any site that tries to require it wouldn’t work for millions of people. That pretty much kills it except for managed environments (such as when a company provides a hardware key and wants to make sure that’s the only thing that’s used).

Yes, Vivaldi does: vivaldi.com/features/ad-blocker/

I think you mean that passkeys potentially skip the something you know. The something you have is the private key for the passkey (however it’s stored, in hardware or in software, etc). Unlocking access to that private key is done on the local device such as through a PIN/password or biometrics and gives you the second factor of something you know or something you are. If you have your password manager vault set to automatically unlock on your device for example, then that skips the something you know part.

Which is really stupid of them but technically within spec currently.

Your vault is encrypted on your device before it’s sent to Bitwarden’s servers, so even they don’t have access to your passwords and passkeys.

More info on how it is encrypted is here:

bitwarden.com/help/what-encryption-is-used/

Pretty much every password manager works like this. Having access to your data would be a liability for them.

Does it work like that? Everything I see says they’re tied to that device.

It depends on what kind you want to use. If you want the most security, you can store them on something like a Yubikey, with it only being on that device and not exportable. If you get a new device, you’ll need to add that new device to your accounts. For less security but more convenience, you can have them stored in a password manager that can be synced to some service (self-hosted or in the cloud) or has a database file that can be copied.

Fair, I guess I’ve never lost a password because it’s just a text string in my PW manager, not some auth process that can fail if things don’t work just right.

That’s fair. It can be a bit of a mess with different browser, OS, and password manager support and their interactions but it has continued to get better as there is more adoption and development.

Isn’t the sync for keepass-compatible apps just syncing a normal file?

If it makes you feel better, most PINs on modern devices are hardware backed in some way (TPM, secure enclave, etc) and do things like rate limiting. They’ll lock out using a PIN if it’s entered incorrectly too many times.