> The private key remains bound to the user device, where it can’t be extracted.
So what exactly is being transferred with this new cross platform mechanism? Isn’t it the same private key, except that it’s a direct device-to-device transfer?
This export and import of passkeys also seems to blur the lines between passwords and passkeys a little more. If every device supported a built in password manager that generates a random password on signup with a service, stores it securely and then the platforms implement a secure password export and import mechanism where the CSV/JSON/whatever file is encrypted and kept only in memory during a direct device-to-device transfer, that would be close to this, right?
Other than passkeys being randomly generated for each site (and linked to it) and tied to some kind of biometric authentication, it looks like passwords and passkeys are converging (except for some implementation details).
The biggest advantage (which could also be considered a disadvantage from a different angle) with passwords is that one can use it from any device without having their primary device close by. With passkeys, the primary device must be close by if one wants to authenticate with a service on another device.
The biggest disadvantage with passkeys is that if one’s primary device is lost, they wouldn’t be able to login to services. The recovery process would also have to be the same old personal information check or (ugh) secret questions or a link sent to an email address or (ouch) an OTP by SMS to a new replacement device.
anon7000 · 1d ago
> Other than passkeys being randomly generated for each site (and linked to it) and tied to some kind of biometric authentication, it looks like passwords and passkeys are converging (except for some implementation details).
The fact that a passkey can only be used with the ONE site it was generated at, that it can encode the identity of the user as well as the password, and that there is a standardized, programmatic way to submit/retrieve a passkey to a website are all huge security upgrades over passwords. So no, they aren’t really converging in the ways that matter.
Syncing, export, whatever, are just implementation details of the platform and aren’t really related to the passkey standards.
Someone could create an iOS password manager for passkeys that stores the private keys in plain text for you to view and write down on paper. Of course, the major apps & platforms don’t do that because it’s not a popular feature (or secure), but anyone can write a password app for iOS
krackers · 23h ago
I don't get those benefits: randomly generated password is by definition only going to be usable at the site it was generated for. I'm not sure what it means for a password to "encode my identity", but if it includes device-specific bits then that seems like an anti-feature. And autofill for passwords is mostly good enough as a standardized way to input passwords saved in a password manager.
diggernet · 1d ago
> So what exactly is being transferred with this new cross platform mechanism? Isn’t it the same private key, except that it’s a direct device-to-device transfer?
The sentence you quote is describing passkeys, not this new transfer mechanism. I assume this does transfer the private key.
Oh the other hand, while the article is short on details, it sure sounds like this only supports a move operation, where the passkey is removed from the first device and installed on the second. Which means it'll so nothing for disaster recovery, because they are still assuming your one passkey device will always be present and functional. For example, say your iPhone is smashed and you decide to buy an Android replacement. Nope, sorry, first you need to buy an iPhone to restore from iCloud, then you can transfer to Android.
It really needs to be possible to back up passkeys, no matter how much the advocates say we shouldn't be allowed to do that.
lapcat · 1d ago
Passkeys are basically the same as ssh keys. What the big tech corporations have "added" is a walled garden. Apparently you can now transfer from one walled garden to another walled garden, Apple iCloud Keychain to 1Password or Google or whatever, but they completely distrust users and refuse to allow users to get directly to the private keys. In other words, they've added paternalism.
I personally don't want to use any "cloud" syncing service, no matter whose it is. I just want to manage my own credentials and back them up myself, like I do with my passwords. Local-only, with offsite backups controlled only by me, is my principle for almost everything. I don't object to the existence of cloud syncing services, as an option for users, but I do object to the forced paternalism on everyone.
One of the great things about passwords is that they are completely device-independent. You can write a password down on a piece of paper. You can do that with an ssh private key too, by the way. It's the ultimate backup that resists all vendor lock-in.
anon7000 · 1d ago
Anyone can write a password manager which supports passkeys for iOS, and there are plenty of third party ones that already exist! Passkeys are (technically device independent too.
daft_pink · 1d ago
I think the criticism is there is no way for the user to access their own passkeys. For example, if you go into 1password, you cannot export your passkey, you cannot view your passkey.
You’ve essentially walked into a form of vendor lockin without that ever being explained to the user and it looks like they are building a way to move from vendor to vendor, but you never get direct access yourself for whatever reason.
pabs3 · 14h ago
keepassxc has a passkey implementation that can export passkeys.
ghusto · 1d ago
Too little, hopefully too late.
I can export to another device, _whilst I still have my current device_? That's only half the story, and a little of the anxiety. The real issue is; what happens when my devices are gone? If I get robbed, I'm not sure they're going to be considerate enough to leave me one of my devices so I can still have access to my passkeys.
pabs3 · 14h ago
Just add some backup passkeys you store in a safe place, like a Yubikey in a physical safe.
So what exactly is being transferred with this new cross platform mechanism? Isn’t it the same private key, except that it’s a direct device-to-device transfer?
This export and import of passkeys also seems to blur the lines between passwords and passkeys a little more. If every device supported a built in password manager that generates a random password on signup with a service, stores it securely and then the platforms implement a secure password export and import mechanism where the CSV/JSON/whatever file is encrypted and kept only in memory during a direct device-to-device transfer, that would be close to this, right?
Other than passkeys being randomly generated for each site (and linked to it) and tied to some kind of biometric authentication, it looks like passwords and passkeys are converging (except for some implementation details).
The biggest advantage (which could also be considered a disadvantage from a different angle) with passwords is that one can use it from any device without having their primary device close by. With passkeys, the primary device must be close by if one wants to authenticate with a service on another device.
The biggest disadvantage with passkeys is that if one’s primary device is lost, they wouldn’t be able to login to services. The recovery process would also have to be the same old personal information check or (ugh) secret questions or a link sent to an email address or (ouch) an OTP by SMS to a new replacement device.
The fact that a passkey can only be used with the ONE site it was generated at, that it can encode the identity of the user as well as the password, and that there is a standardized, programmatic way to submit/retrieve a passkey to a website are all huge security upgrades over passwords. So no, they aren’t really converging in the ways that matter.
Syncing, export, whatever, are just implementation details of the platform and aren’t really related to the passkey standards.
Someone could create an iOS password manager for passkeys that stores the private keys in plain text for you to view and write down on paper. Of course, the major apps & platforms don’t do that because it’s not a popular feature (or secure), but anyone can write a password app for iOS
The sentence you quote is describing passkeys, not this new transfer mechanism. I assume this does transfer the private key.
Oh the other hand, while the article is short on details, it sure sounds like this only supports a move operation, where the passkey is removed from the first device and installed on the second. Which means it'll so nothing for disaster recovery, because they are still assuming your one passkey device will always be present and functional. For example, say your iPhone is smashed and you decide to buy an Android replacement. Nope, sorry, first you need to buy an iPhone to restore from iCloud, then you can transfer to Android.
It really needs to be possible to back up passkeys, no matter how much the advocates say we shouldn't be allowed to do that.
I personally don't want to use any "cloud" syncing service, no matter whose it is. I just want to manage my own credentials and back them up myself, like I do with my passwords. Local-only, with offsite backups controlled only by me, is my principle for almost everything. I don't object to the existence of cloud syncing services, as an option for users, but I do object to the forced paternalism on everyone.
One of the great things about passwords is that they are completely device-independent. You can write a password down on a piece of paper. You can do that with an ssh private key too, by the way. It's the ultimate backup that resists all vendor lock-in.
You’ve essentially walked into a form of vendor lockin without that ever being explained to the user and it looks like they are building a way to move from vendor to vendor, but you never get direct access yourself for whatever reason.
I can export to another device, _whilst I still have my current device_? That's only half the story, and a little of the anxiety. The real issue is; what happens when my devices are gone? If I get robbed, I'm not sure they're going to be considerate enough to leave me one of my devices so I can still have access to my passkeys.