There is a large section on privacy in the spec.

https://www.w3.org/TR/webauthn-2/#sctn-privacy-consideration...

However Passkeys puts apple in a position of the Authenticator which is the riskiest part in terms of privacy.

Thank you, seems quite approachable.

A different authenticator is paramount but the question is how secure and private a self-hosted solution can be, with reasonable effort.

Apple has pretty good security whitepapers about how it does end-to-end encryption for Keychain items like this. If you're more broadly concerned about Apple not honoring those, having (un)intentional vulnerabilities, or them having the ability to shut you off from your account, then you can always fall back to non-synced FIDO2 devices, like a Yubikey. The underlying technology in both is the same: WebAuthn. I'd imagine local-only is also how MacOS and iOS behave if you're not logged in to iCloud.

If you're more interested in WebAuthn privacy more generally, there's quite a bit of it in the WebAuthn specification itself, since it was an important goal of the design.

> then you can always fall back to non-synced FIDO2 devices

No, you can not. Because they are completely broken for a lot of use-cases, especially when you can only add one or two of them makes them worse than even passwords in many situations.

Even if they are broken you have the option, and you can decide which trade offs suit your use case.

Not sure you'll have the option for passwords much longer, no.

Adding a second factor is more a UX glitch that we're working on. https://github.com/gravitational/teleport/issues/19314 https://www.passkeys.io/ provides a better flow and we'll likley see more sites moving in this direction.