> there is effectively no way to export private keys between authentication password managers
No exporting really is a feature. Otherwise people would be tricked into giving away passkeys much like they are with passwords today.
You can always register multiple passkeys with providers though. Already have a passkey with google but want another one via a different password/account manager? Just go into settings on google and add it! This is effectively how you’re meant to move passkeys around. Create a new and register that with the same services as the old one.
The real hassle right now is remembering all the services you attached your current passkey to so you can register a new passkey with them and it’d be nice if there was something similar to ninite installer for passkey registration. But still it's not a huge blocker. You can absolutely use multiple passkeys and login with any one of them.
I don't want to cede a chokepoint to my online identity to a multinational conglomerate with no support department. I don't understand the UX for adding more passkeys.
I'd rather have the possibility of being "tricked" than get locked into another walled garden. Maybe I'm wrong for feeling that way, but there are literally dozens of us.
> Otherwise people would be tricked into giving away passkeys much like they are with passwords today.
Is this really a common attack vector vs. a company leaking their whole customer database and a bunch of password being revealed that way?
Yes, it's called phishing.
Phishing is different (from the user's POV) than exporting a password and "giving it away". I don't see how phishing would be applicable to passkey exports.
> Phishing is different
Nope, it's exactly that: tricking people into believing that they are exporting their passkey securely where actually they are sharing it with the attacker.
> I don't see how phishing would be applicable to passkey exports.
Phishing is applicable to everything humans can do: if you can ask a human to do it, you can phish a human to do it.
Not sure why this is being downvoted. This user (palata) is correct — phishing is any attempt by an attacker to trick a user into giving up sensitive information.
For anyone who is confused:
https://www.cloudflare.com/learning/access-management/phishi...
Not yet. It's a more complex variation on phishing, but not complex enough that it wouldn't happen if scammers needed it to.
Effectively ceding control of your online identity is a feature? Would you be willing to bet real money that the passkey attestation feature will never be abused be these same companies ?
How is that effectively ceding control of your online identity?
You can buy a security key (that does not have your name on it), have it generate a FIDO2 key and use it as a passkey. You can have 100 Yubikeys for 100 different websites if you want.
But you can't ever export the private key from the Yubikey, and that's a feature. That's the whole point of the Yubikey.
I think there is a difference between a specific implementation of passkeys not allowing export as a feature and the article’s linked GitHub thread with a threat of potentially blacklisting an implementation if it allows export [1]. Imo users need the fundamental freedom to choose.
[1] https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
Where is the threat to blacklist? I missed that so I lack context.
My reading of the the linked github thread is: 1) A member of the FIDO alliance says that provider attestation is bad because relying parties could block specific providers 2) This FIDO alliance member doesn't like that keypassxc has implemented a feature for their users that weighs user freedom/security different than they would prefer and 3) they insinuate that if keypassxc doesn't change this, they could decide to push for provider attestation in the future, potentially ending keypassxc as a viable password manager.
Perhaps I'm reading things in a worse light than you but I believe the potential for abuse is so high and the value of user freedom is so high that these comments shouldn't be taken lightly. I say this a user and huge fan of Yubikeys (I use them precisely because of the feature of not being able to export the private key for security). But I think users have the right to build/use software that works how they see fit.
> But I think users have the right to build/use software that works how they see fit.
They have, I don't think anyone denies that. But the other side has the right to refuse working with them if they find them insecure.
I don't think it is limited to passkeys... I have always been forced to use the authentication chosen by the IT at work, it's not like I can come and say "You know what? Instead of your SSO coupled with your second factor app, I would like to use my own password manager with email and password".
Work IT is different from services being offered to the public, though.
The difference is the security requirements. Services that are fine today with you using just a username+password won't care at all if you use a passkey that is considered unsafe.
Yes they will, because of risk aversion and cargo culting. They won't actually audit a passkey provider or have well-defined security criteria, but they will just require what everyone else requires.
Hmm... why don't they already implement their own authenticator apps, if it's just risk aversion and cargo culting? Again it's totally possible and it already exists.
I currently, exclusively use my Yubikeys as passkeys, and it works everywhere where passkeys are available. So I don't personally see a problem.
What I see is that people complain because of some kind of disagreement that happened between some people on the Internet about the passkey implementation in KeepassXC. And nothing about that materialised.
Just made the same comment, weird that its an unpopular opinion. Chalk it up to a UX issue around user expectations.
It's not just that. There's a huge lack of trust with the tech industry. I don't think anyone trusts tech companies to act in the user's best interests with this kind of restriction instead of using it to drive more platform or service lock-in.
I get the lack of trust with TooBigTech, but I personally use passkeys with security keys (Yubikeys). WebAuthn is just a bunch of protocols that can run independently from TooBigTech.
It's hard for more people to verify whether this is actually independent from big tech. With a password, you can write it on a piece of paper. You can then type it back in. If any character doesn't match, it doesn't work. This seems like a trustworthy demonstration that it is actually independent. Passkeys have too much magic to understand in this way.
But passwords are hell for most people: they never remember them, for some reason (I don't understand it either) they really don't want to use a password manager, and they get phished.
Passkeys mean that most people can just FaceID or their fingerprint everywhere and they are happy. They are happy to be locked in if it just works.
For those of us who don't want to be locked in, we still have the possibility to not be locked in because we understand how it works.
I don't think we can do better: try to explain to normies how they should enjoy using a CLI and see how they react.
> Passkeys mean that most people can just FaceID or their fingerprint everywhere and they are happy. They are happy to be locked in if it just works.
Yeah, because people are stupid.
Heading towards a future where you need to use government-approved devices which are tied to your real identity to access the internet is a recipe for disaster.
> Heading towards a future where you need to use government-approved devices which are tied to your real identity to access the internet is a recipe for disaster.
That's unrelated to passkeys. When you use your credit card to pay online, it's tied to your real identity. Many countries offered to do a lot of official stuff online (like taxes) long before passkeys.
No, it's very much related, although not guaranteed.
The reality is that many passkey implementations right now come with attestation and are closed off. That's simply not possible with passwords.
Passwords, as a concept, just can't be abused in that way. Because they're just strings of text. Passkeys, however, CAN be - and we're already seeing that happen.
It could reverse course, but then it would need to reverse course and stay reversed. Forever. Even though there's lots of money and control being left on the table.
That's a big problem.
> That's simply not possible with passwords. Passwords, as a concept, just can't be abused in that way.
Well, not with only the password, but with the mandatory 2FA app that comes with it, it's definitely possible. Source: my company does that.
And you can most definitely request the real ID before you let someone create an account, password or passkey.
I don't see a difference.
I'm stupid. I don't think passkeys actually just work. What if I get a new phone? I don't know the answer to that. I do know how to install my password manager on a new phone. Last time I got a new phone, all my 2FA authenticator codes stopped working. I switched them all to SMS.
I don't get the downvotes here.
I feel like people mix up the protocols and the implementations. Because one can share their passkeys with a Google password manager does not mean that they have to. Passkeys are just WebAuthn, which works on its own.
Since I'm getting downvoted as well: I am using passkeys with Yubikeys, without depending on any TooBigTech.
> Because one can share their passkeys with a Google password manager does not mean that they have to.
The standard provides the means for the relying party to choose what password managers it will accept, so you may very well have to use the Google password manager.
Without passkeys, a service can force you to use their own proprietary app as a second factor. It's been like that for years with banks and at big companies.
They already do select the security they want. And it does make sense when security matters to them!
Say you managed to put into the law that "it's illegal to discriminate passkeys, either you accept all implementations or none of them". What would happen then? Those services would just not use passkeys, because they already have a solution they control today (with their own authenticator apps).
What the standard provides is a way to have certified/audited passkeys. So that instead of using the authenticator app of my bank to log into my bank and the Microsoft authenticator to log into my company SSO, maybe (just maybe) I will someday be able to use a passkey. Not any passkey, that's very clear, and it actually does make sense in terms of security. But maybe instead of using Apple or Google, you will be able to use a security key like Yubikey.
And the fight should be to give a fair chance to those third-party systems for getting certified. Not to refuse the passkey technology because instead of being forced to use the Microsoft passkey, we really like it better when we are forced to use the Microsoft authenticator app.