toomuchtodo

Passkeys gonna be fire. Goodbye password managers, credential stuffing, and phishing attacks!

(photo deduplication is nice too btw, been a long time coming)

bioemerl

> Passkeys gonna be fire

Knowing apple they're going to be another avenue to lock in. Now not only does switching your device been that you have to leave apple's ecosystem, it also means you lose all your passwords for all your websites.

I'm honestly hoping this does not take off.

joshstrange

> Knowing apple they're going to be another avenue to lock in.

I mean it's just Webauthn under the hood, I'd bet money you can export them from keychain into another tool like 1Password or similar.

thebitstick

Time to pay up! Exporting is impossible on Apple's implementation of Passkeys. Even exporting your entire keychain of passwords doesn't result in any WebAuthn keys, just standard passwords. Tested on macOS 13 and iOS 16 betas. I sincerely doubt this will change with the official releases. Google's implementation is probably the same. Microsoft hasn't done a thing yet to support passkeys besides what Edge and Windows Hello do.

garrettr_
Exporting is purposefully made impossible in many implementations of Passkeys (aka Webauthn authenticators) other than Apple's. For example, Yubikeys are designed so private keys can never leave the authenticator [0]. Enabling the export of private keys from an authenticator greatly increases the attack surface of an authenticator.

This is a long-standing security/usability tradeoff in the Webauthn spec. Various solutions have been proposed, but as far as I know most of them are still just drafts, e.g. [1]. The best practice has been and, as far as I know, continues to be to register multiple authenticators, e.g. a primary and a backup authenticator. This practice has a variety of benefits:

1. Avoids lockout if an authenticator is lost.

2. If you use multiple authenticators from different vendors (e.g. Yubico and Google) you:

1. Avoid vendor lock-in

2. Can rapidly respond in case a security vulnerability is discovered in one of your authenticators, as has occurred for both Yubico [2] and Google [3].

One could use Apple's Passkeys as one's day-to-day "personal" authenticator, and use an authenticator from a different vendor (e.g. Yubico Yubikey or Google Titan Security Key) as their backup key. I don't see how Apple's implementation increases the risk of lock-in beyond that of any of the other major Webauthn authenticator providers.

[0]: https://github.com/w3c/webauthn/issues/865#issuecomment-3804...

[1]: https://github.com/Yubico/webauthn-recovery-extension

[2]: https://www.yubico.com/support/issue-rating-system/security-...

[3]: https://security.googleblog.com/2019/05/titan-keys-update.ht...