I think there is a difference between a specific implementation of passkeys not allowing export as a feature and the article’s linked GitHub thread with a threat of potentially blacklisting an implementation if it allows export [1]. Imo users need the fundamental freedom to choose.
[1] https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
Where is the threat to blacklist? I missed that so I lack context.
My reading of the the linked github thread is: 1) A member of the FIDO alliance says that provider attestation is bad because relying parties could block specific providers 2) This FIDO alliance member doesn't like that keypassxc has implemented a feature for their users that weighs user freedom/security different than they would prefer and 3) they insinuate that if keypassxc doesn't change this, they could decide to push for provider attestation in the future, potentially ending keypassxc as a viable password manager.
Perhaps I'm reading things in a worse light than you but I believe the potential for abuse is so high and the value of user freedom is so high that these comments shouldn't be taken lightly. I say this a user and huge fan of Yubikeys (I use them precisely because of the feature of not being able to export the private key for security). But I think users have the right to build/use software that works how they see fit.
> But I think users have the right to build/use software that works how they see fit.
They have, I don't think anyone denies that. But the other side has the right to refuse working with them if they find them insecure.
I don't think it is limited to passkeys... I have always been forced to use the authentication chosen by the IT at work, it's not like I can come and say "You know what? Instead of your SSO coupled with your second factor app, I would like to use my own password manager with email and password".
Work IT is different from services being offered to the public, though.
The difference is the security requirements. Services that are fine today with you using just a username+password won't care at all if you use a passkey that is considered unsafe.
Yes they will, because of risk aversion and cargo culting. They won't actually audit a passkey provider or have well-defined security criteria, but they will just require what everyone else requires.
Hmm... why don't they already implement their own authenticator apps, if it's just risk aversion and cargo culting? Again it's totally possible and it already exists.
I currently, exclusively use my Yubikeys as passkeys, and it works everywhere where passkeys are available. So I don't personally see a problem.
What I see is that people complain because of some kind of disagreement that happened between some people on the Internet about the passkey implementation in KeepassXC. And nothing about that materialised.