[xmdx]

They said in the event that everything is synced on iCloud so all your devices can use the keys, which makes me think no, it's just a password manager, without the password bit. Maybe they create a separate key for each device, but then why mention iCloud syncing at all.

[howinteresting]

It's a password manager with cryptographic vendor lockin.

There are definitely some benefits though, such as immunity from phishing. Surely we as the industry can bring them about in a way that doesn't involve cryptographic vendor lockin.

[theluketaylor]

There is no password so it can't be a password manager. Without a password it avoids all the downsides of passwords like having to store them securely on both ends, rainbow tables, credential reuse, weak password choice, and having to remember them. It's a cryptographic keypair manager. Key management is always the barrier to really good real world cryptography, so I'm heartily in favour. Anything that makes it possible for regular people to use strong cryptography is a huge win.

Since it's all just FIDO2/webauthn under the hood it's hardly lockin. It's a bit of Apple UI tinsel to make life simple and their excellent icloud keychain sync.

[altairprime]

The industry doesn’t seem to have a working software solution for mobile phone authentication secrets that both is 1) immune to persuading a user to export their data (to get phished), and 2) allows a user to export their data at any time (to prevent lock-in).

What would it look like to do #2 safely, without enabling the phishing that we see today with #1?

[danShumway]

I get where you're coming from and you're not wrong, but at the same time, I don't buy this as an excuse for vendor lock-in here, because it seems like Apple is already backing up passkeys to iCloud.

If Apple has decided that the risk of getting your passkeys phished out of your Apple iCloud Account is outweighed by the benefit of users being able to restore/sync login details immediately when they buy a new iOS device and log into it, then I think it's reasonable for users to expect the same treatment and the same experience when they're moving away from iOS.

If Apple wasn't backing up any of the logins, and they had committed to when you trade in your phone and upgrade to the latest iPhone forcing you to manually re-create all of those keys one-by-one using your recovery option, then I'd accept not having an export option for Android/Linux/Windows. Otherwise, it will just seem really suspiciously convenient to me if they ultimately decide that exporting keys is acceptable risk unless it's to a competitor's device.

As far as I can tell, there hasn't been any official confirmation that users won't be able to export them to non-iOS devices, so maybe it's all worry over nothing. But I don't think security is a justification to apply restrictions specifically only on devices outside of Apple's ecosystem.

[altairprime]

I don't consider this solution an excuse for vendor lock-in. I consider this a problem that has no known solutions without vendor lock-in.

If you offer users a way to export, then you offer phishers a way to social engineer users. So either you prevent social engineering (lock-in: yes), or you allow exports (lock-in: no).

Which choice has a higher precedence when serving the market of "non-technical mobile phone users"?

[danShumway]

I think you're misunderstanding what I'm saying. Apple IS allowing users a way to export right now, we just don't know whether non-iOS devices will be supported.

I consider the binary you describe to be a justifiable reason for Apple to offer no way to export from a phone, but that's not what they're doing. And I do not consider it a justifiable reason for Apple to allow only exporting between iPhones.

Apple is syncing passkeys to iCloud, presumably so they can be synced between devices and restored if a device is lost/destroyed. That's an export option, and iCloud syncing/restoration between phones is vulnerable to phishing attacks, but Apple has decided that the user experience without iCloud backup would be so bad that they're excusing the extra risk that users have their iCloud account phished and their keys synced to an attacker's phone.

> Which choice has a higher precedence when serving the market of "non-technical mobile phone users"?

In Apple's case, they have decided that allowing users to recover accounts easily is more important for non-technical users than protecting them from export phishing attacks. They've very explicitly said here that they think that allowing export is more important than preventing phishing.

We can debate whether Apple made a good choice with that, but having made that choice, there is now no reason for them to say that Android transfers would be a unique security threat.

[howinteresting]

You can offer to transfer data to another computer or phone that's plugged into yours over USB.

[altairprime]

Your choice is to allow people to be phished for credentials, then.

Gullible people will cheerfully complete any attacker-described PC syncing process, ignoring every security warning presented to them, in order to give away the keys to their accounts. They’ll use a friend’s PC, or a library PC, or anything under the sun, if the phished promises to give them something for nothing.

[vorpalhex]

The secrets can be exported - whether or not they will allow that though...