Just because this is a common misunderstanding of passkeys, I'm going to state it again here: passkeys don't have to be locked to a hardware chip inside your device in order to work. It is entirely possible to have use passkeys only in software (shameless plug to the passkey manager I'm building, https://bulwark.id), and that is most likely the way that most people will interact with them.

I think it's unfortunate that Apple and Google are the ones who are most visible in the passkey space because it gives people the idea that passkeys are a locked-down authentication mechanism when they aren't.

Where did you get the idea that Apple and Google's implementations are hardware-bound?

Per this: https://www.slashid.dev/blog/passkeys-deepdive/

The private key is both kept in your phone’s Secure Enclave and stored in iCloud, so strictly speaking the implementation isn’t hardware-bound in that case.

But I think the intended point is something more practical: can you, as a user, export the passkey to be shared on your non-Apple laptop, phone, etc? And maybe I’m mistaken, but I’ve been under the impression that you cannot.

Hi,

I'm the author of the blogpost. You are spot on, Passkeys are exportable so the private key ends up both on iCloud and the Enclave/authenticator.

My understanding is that there's chatter about cross-vendor synchronization of passkeys but nothing concrete yet.

Meanwhile Apple allows people to share Passkeys via AirDrop (Settings > Passwords - select the passkey you want and click the "Share" icon to send it over Airdrop) so it should be possible with some effort to obtain the private key with something like this: https://github.com/seemoo-lab/opendrop. Haven't done extensive testing yet though, so I can't confirm.

Would love to hear if anybody knows more about how the sharing via AirDrop is implemented/protected.