The point of passkeys is that they're unexportable. Software implementations like Bitwarden/KeepassXC/etc. making them exportable go right against the point of the protocols.

I personally think the ability to export+import passkeys is a good thing from a backup point of view, but he's not wrong in suggesting that companies actually using the high security features of passkeys will eventually block software implementations like these.

This isn't about vendor lock-in. Nobody is asking for KeepassXC to remove passkey support. This is about security software implementing an API and not fulfilling the expectations that come with such an implementation. To quote the comment you linked:

> That's fine. Let determined people do that, but don't make it easy for a user to be tricked into handing over all of their credentials in clear text.

It's fine for them to make suggestions for projects to improve their software. The problem is threatening clients with being banned because they don't agree with those suggestions. If a website is able to ban me because of the passkey client I'm using, then I'm just not going to use passkeys. It's too unreliable.

> personally think the ability to export+import passkeys is a good thing from a backup point of view

It's not a "good thing," it's absolutely critical. If I can't back up my credentials in a location that I trust, then it's not an acceptable login method. What happens if my PC goes down and I couldn't export my data? I just can't log in anywhere? KeePassXC lets me do that, but the spec authors think it's appropriate to ban me for using it because it lets me manage my own data. That's bonkers.

I don't see where he is threatening anybody? He's just stating the obvious. If you promise to store a key in a non-exportable format and then create a big export button, websites won't trust your software.

> What happens if my PC goes down and I couldn't export my data? I just can't log in anywhere?

Then you follow the procedure you would follow for when you'd forget your password. Probably a password reset through email, maybe calling customer support. Or if you have it set up, you could use the passkey set up on your phone or Yubikey or whatever to log in and create a new password on your new PC.

Passkeys aren't passwords, that's the whole point. It's modelled after the "something you have" factor, not "something you know". If you're finding workarounds to violate the security design, you're not gaining any advantage by using passkeys. Just use a password if you want to use a password.

> If you're finding workarounds to violate the security design, you're not gaining any advantage by using passkeys.

The trouble is, if websites are allowed/encouraged to ban clients, then the advantages you're talking about come with the downside of hard-tying yourself to one of 3 US-based Big Tech companies, because those will be the only ones who will ship clients declared "secure." That's not a trade-off I'm willing to make for something as critical as my service logins. You can already see this happening, almost every article talking about passkeys assumes you're logging in with an Apple, Google, or Microsoft device.

> Then you follow the procedure you would follow for when you'd forget your password. Probably a password reset through email, maybe calling customer support.

This is a downgrade from passwords (and exportable passkeys), where I can just restore it from a backup.

> Just use a password if you want to use a password.

Yeah, that's what I plan to keep doing, unfortunately. What I'm worried about is a password-less future where that's no longer an option and we all have to submit to using one of Android, iOS, or Windows to log in to everything because those are the only clients that can be trusted(TM) to handle the user's data as the big tech companies and governments desire it to be handled. This is a dark future.

You already need to submit to iOS or stock Android for a myriad of banking or government apps that use remote attestation to verify that you are running "untampered" software.

Remote attestation is evil.

FWIW this has not been my experience in the US, I've always been able to use websites for these things. I use my phone for almost nothing important since I don't trust it. But yes, I fear we are heading in that direction too.

I keep seeing this where? What banks don’t allow you to go to their website and use them from your phone? Which government apps don’t also have websites?

Not in the western countries yet, I guess. I live in Thailand and have accounts in two banks and both of them only allow usage through an app that's only available through the App/Play store. Android version of Krungthai's bank app freaks out if you have developer settings enabled (even without changing anything, just enabling the access is enough to lock you out). And to use that app in the first place, you have to go to a branch and have staff set the app for, as passing the facial scan checks is impossible for foreigners.

Several German banks (at least mine, one of the bigger ones) exclusively have you use an app for 2FA, you can still log via the website if you are lucky (as long as you have that one saved) but not do any transactions. So I would call that required.

In the EU there is Strong customer authentication [0], part of the PSD2 (Revised Directive on Payment Services).

I read as much about it from the official sources as I could about a year ago, so I might be wrong here. From what I remember even though no specific mention of Android or iOS attestation was made, a "strong" form of 2FA is needed. Stronger than TOTP.

In my country most banks I talked with require a mobile app for 2FA even if you're logging in from a desktop browser. I haven't (and will not) install a banking app on my phone, so I'm not sure if it would work if the phone doesn't pass the attestation (e.g., Play Integrity on Android). I wanted to install the app in an AOSP VM, but no bank would even send me the apk file - they all want me to download it from Google for some reason.

Another option was to pay for a hardware device from a third-party company.

I was lucky that one bank still uses SMS 2FA. It's weaker than TOTP (depending on your threat model, I guess), but I prefer it.

My other option is either to:

* have a smartphone;

* have an "approved" OS from an American company;

* have an account with said American company so I can download the app from the company's repository;

* run closed source software on my smartphone.

or to

* pay for a USB device from a third-party company;

* that barely works with Linux;

* that requires a closed source program to run;

* that doesn't work with VMs and troubleshooting was a pain (I tried).

What I want is to use TOTP. I would actually store the secret on another device, as I'm not opposed to the idea of 2FA in general. And I would be fine if my money were drained as a result of me being hacked. If I had millions in my account, I could just use a separate computer only for the banking, but still a computer I chose.

Online banking (a superset of "mobile" banking) is very important for a person to have in order to participate in society. The ability to choose what hardware and software to use is also very important. The ability to not associate oneself with third-party companies, to accept their ToS and to pay them money is also very important. Therefore, I think those things should be my rights. I'm not complaining about a gym or a pizza place requiring a mobile app here, after all.

[0] https://en.wikipedia.org/wiki/Strong_customer_authentication

That's what I still don't understand. Why is "something you have" deemed more secure than "something you know". For a while everyone was harping on MFA, but suddenly passkeys came along and now SFA is fine as long as it's a passkey?

It's not more secure. It's as secure.

MFA is more secure: you combine multiple factors of authentication. You could do password + passkey, password + TOTP token (assuming such tokens are not exportable either), password + biometrics, passkey + biometrics, even TOTP + biometrics would be MFA.

I don't think anyone proposes replacing MFA with passkeys, most proponents are proposing replacing passwords with passkeys.

A second question is "is MFA still necessary when using passkeys", as passkeys are generally more secure than the Welcome1234! type passwords most people use. I'd argue that for quite a few non-critical services, it wouldn't be. More and more services have started requiring 2FA because the damage of accepting passwords alone was too great, and with passkeys I don't believe the same damage would occur.

It'd still be a good to offer the option. In fact, I think passwords should be offered as a second option; combining passkeys with something like TOTP would be close to useless as the same thing you use to validate the passkey probably also generates the TOTP codes.

Amazon actually does MFA with passkeys: you can log in with a passkey but it'll still ask you for a TOTP code. I'd rather combine password and passkey, but at least they're not completely turning off the additional layer of security.

> I don't see where he is threatening anybody?

The threat he relayed was more serious than the threat he made. But it is a threat when a person with influence suggests they may support a punishment.

> If you promise to store a key in a non-exportable format

There was no such promise. The people who wish Passkeys to replace passwords did not demand it yet even.

> There was no such promise. The people who wish Passkeys to replace passwords did not demand it yet even.

The specification states otherwise: https://www.w3.org/TR/webauthn-2/

    A credential private key is the private key portion of a credential key pair. The credential private key is bound to a particular authenticator - its managing authenticator - and is expected to never be exposed to any other party, not even to the owner of the authenticator.

If I lose the device that has all my passkeys, I wouldn't be able to login into my emails either.

But the natural result is vendor lock in. To stop exports of keys, sites will need a whitelist and secure method to verify the hardware or software implementation has not been tampered with. If an implementation is banned, the obvious solution is to allow it to pretend to be a non-banned implementation. Or admin level processes smuggling keys out of approved implementations. I don't think anyone wants an arms race, thus the vague threats to remove features that users are demanding before they will consider buying into the ecosystem.

Both things can be true:

1) that they're enforcing these specs for technical reasons, not because they want vendor lock-in

2) a result of these decisions in the long term is vendor lock-in

I agree with this, but I think the spec author's public statements means we don't need to give them the benefit of the doubt. People have repeatedly pointed out how this will result in vendor lock-in, and their response is either "yep, working as intended" or "we don't want to talk about this anymore." They're just steamrolling ahead with support from all the Big Tech companies. It's a really ugly situation =/

I agree with you but the whole thing makes me uncomfortable. We're definitely making it easier for these security conscious companies to do vendor lock in if we encourage passkey use.

At this time I'm not really sure if anyone can really say there's a 'point' to passkeys anymore. They just are exportable now, both Google's and Apple's implementation are synced instead of device-bound putting them at the level of Bitwarden / KeepassXC. Backups and multi-device have become a critical feature for users which breaks attestation so it's really just those weirdos with Yubikeys.

I think we're verrry slowly inching toward shedding all the security nerd self-indulgences and getting to what I think is the eventual endgame which PassKeys are just keys and ultimately a fairly user friendly way of getting people to use a password manager without it feeling like one. All the other features seem like noise.

>The point of passkeys is that they're unexportable. Software implementations like Bitwarden/KeepassXC/etc. making them exportable go right against the point of the protocols.

No, that is absolutely not the point. The points of using pub/priv keys for asymmetric auth instead of passwords (symmetric, manually generated auth) are:

- Server-side (ie, central point) hacks no longer matter an iota from a user auth pov. No more having to worry about reuse anywhere else, about going around changing passwords, nada, because the server simply doesn't have anything that can be used for auth anymore at all. No more concerns about whether they're storing it with the right hash functions or whatever, they could publish all the public keys in plain text and it'd be irrelevant. This fantastically changes the economics of attacks, since now instead of hacking one place and getting thousands/millions/hundreds of millions of credentials you'd have to hack every single separate client.

- As a practical matter, the process means eliminating the whole ancient hodgepodge of password requirements (often outright anti-security) and bad practices and manual generation work. Everything gets standardized on something that will always be random, unique, and secure.

And that should be it. That's the point and the value, always was. The only goal should be to put a nice UX and universal standard around. But of course, modern enshittified tech being enshittified, they had to shove in a bunch of stupid fucking bullshit garbage like what you're talking about.

Thank you, you have been the first person to articulate why passkeys are actually an advantage. Everyone else I've read from was focusing on the client side and there I really don't see a significant advantage. In fact it seems it's a downgrade from MFA, so I never understood the push for passkeys.

This is very well put, thank you (though I think you got a little needlessly aggro at the end :) ). A big part of why I find this situation so frustrating is passkeys are such a cool technology and genuinely a big improvement over passwords. I even spent a whole day writing a big article about how cool they are! But the big tech company lock-in stuff is so obvious, and so strongly supported by the spec authors and the passkey community, that it's hard to see it as unintentional. It completely poisons the technology, and that sucks because I really do want to use it.

>This is very well put, thank you (though I think you got a little needlessly aggro at the end :) ).

My apologies to GP if it came across as too personally aggro, I did mention the corps and their walled gardens to try to be clear on the focus, but the situation does really make me absolutely furious and also truly sad. This should have been such a simple, universal win/win/win that made everything better for everyone. But as you say:

>and so strongly supported by the spec authors and the passkey community, that it's hard to see it as unintentional. It completely poisons the technology, and that sucks because I really do want to use it.

Yeah, 110%. I'm one of the very few who actually tried to use certificates for web authentication back in the 00s, and it did work pretty darn well surprisingly! There were even a few commercial web services that tried it out like the now defunct StartSSL. It was just the whole flow around it was too clunky for regular people and needed some additional standardization and polish. If only the right catalyst had happened to make it a priority in the 2000s it might well have been done in a lasting good way that'd then be too sticky and entrenched to fuck with now. It's depressing to see it being hijacked and poisoned like it has been :(.

So if a client ever goes rogue someday (either intentionally or has been compromised) and starts shipping off private material to a malicious third party, you think relying parties shouldn’t have the option not to trust that client anymore?

Sure that's bad, but the trouble is you're not thinking about what the alternative is. If users don't have control over their own data, then someone else does.

As stated by the spec authors on KeePassXC's bug tracker, open source software may be modified by the user, so cannot be trusted. The passkey proposal is for all of your keys to be managed by proprietary software validated by your phone or your computer's TPM module. That means one of three big, US-based tech companies will control all of the world's login data. Those 3 companies are all currently involved in the largest fascist-taint-tongue-polishing in US history, and we want to hand them control over the world's logins. That's a much, much bigger risk than some users doing something stupid.

The spec needs to be written with the assumption that the user's private keystore may be hostile to the user's own interests, because in the real world, it is. It needs to be written to mitigate damage to the user from a hostile keystore. Instead, the spec places total trust in the keystore. This is a fatal error.

By all means, make a proposal to the FIDO Alliance that solves all these problems without introducing new ones. You're going to have to anticipate all the objections and be prepared to answer them, though.

I'm not the one trying to push a new standard, but sure, I'll do it for them. Explicitly allow users to export and back up their private keys in a documented file format, make client banning hard/discouraged, and no longer maintain a naughty client list. That's it.

Doesn't doing so necessarily lock out all the users using that client?

It would, yes. Thus it’s an action I would only recommend if doing so would help prevent serious injury to their customers. If it comes down to a choice between locking a customer out and having, say, their money stolen, then the scale tips towards safety.

Perhaps, but then (as always) we're back to the security of the recovery workflow.

Apple doesn't do attestation, so effectively this feature is dead in the water.

Per the article, Apple does do attestation. By default attestation is off unless you have enterprise management turned on.

But the existence of attestation means Apple could at any time in the future make attestation on by default and suddenly our devices control our secrets more than we do.

No, Apple can't suddenly start doing attestation in the future by default because that would instantly kill all the passkeys that have already been created on Apple devices without attestation. It would be as if a home security company went around and changed all the locks they had installed on their customers' front doors. It would be instant suicide as a trusted vendor.

Isn’t that just like people said in 2008 now that therd is a Mac App Store “any day now” that will be the only way to get apps on the Mac?