[altairprime]

The industry doesn’t seem to have a working software solution for mobile phone authentication secrets that both is 1) immune to persuading a user to export their data (to get phished), and 2) allows a user to export their data at any time (to prevent lock-in).

What would it look like to do #2 safely, without enabling the phishing that we see today with #1?

[danShumway]

I get where you're coming from and you're not wrong, but at the same time, I don't buy this as an excuse for vendor lock-in here, because it seems like Apple is already backing up passkeys to iCloud.

If Apple has decided that the risk of getting your passkeys phished out of your Apple iCloud Account is outweighed by the benefit of users being able to restore/sync login details immediately when they buy a new iOS device and log into it, then I think it's reasonable for users to expect the same treatment and the same experience when they're moving away from iOS.

If Apple wasn't backing up any of the logins, and they had committed to when you trade in your phone and upgrade to the latest iPhone forcing you to manually re-create all of those keys one-by-one using your recovery option, then I'd accept not having an export option for Android/Linux/Windows. Otherwise, it will just seem really suspiciously convenient to me if they ultimately decide that exporting keys is acceptable risk unless it's to a competitor's device.

As far as I can tell, there hasn't been any official confirmation that users won't be able to export them to non-iOS devices, so maybe it's all worry over nothing. But I don't think security is a justification to apply restrictions specifically only on devices outside of Apple's ecosystem.

[altairprime]

I don't consider this solution an excuse for vendor lock-in. I consider this a problem that has no known solutions without vendor lock-in.

If you offer users a way to export, then you offer phishers a way to social engineer users. So either you prevent social engineering (lock-in: yes), or you allow exports (lock-in: no).

Which choice has a higher precedence when serving the market of "non-technical mobile phone users"?

[danShumway]

I think you're misunderstanding what I'm saying. Apple IS allowing users a way to export right now, we just don't know whether non-iOS devices will be supported.

I consider the binary you describe to be a justifiable reason for Apple to offer no way to export from a phone, but that's not what they're doing. And I do not consider it a justifiable reason for Apple to allow only exporting between iPhones.

Apple is syncing passkeys to iCloud, presumably so they can be synced between devices and restored if a device is lost/destroyed. That's an export option, and iCloud syncing/restoration between phones is vulnerable to phishing attacks, but Apple has decided that the user experience without iCloud backup would be so bad that they're excusing the extra risk that users have their iCloud account phished and their keys synced to an attacker's phone.

> Which choice has a higher precedence when serving the market of "non-technical mobile phone users"?

In Apple's case, they have decided that allowing users to recover accounts easily is more important for non-technical users than protecting them from export phishing attacks. They've very explicitly said here that they think that allowing export is more important than preventing phishing.

We can debate whether Apple made a good choice with that, but having made that choice, there is now no reason for them to say that Android transfers would be a unique security threat.

[howinteresting]

You can offer to transfer data to another computer or phone that's plugged into yours over USB.

[altairprime]

Your choice is to allow people to be phished for credentials, then.

Gullible people will cheerfully complete any attacker-described PC syncing process, ignoring every security warning presented to them, in order to give away the keys to their accounts. They’ll use a friend’s PC, or a library PC, or anything under the sun, if the phished promises to give them something for nothing.

[danShumway]

Apple is already remotely backing up passkeys off-device.

We are having a debate about an Apple policy that doesn't exist. Apple is not following the "keys never leave your device" model, so that security model has nothing to do with whether or not Apple will engage in vendor lock-in.

We're not making the choice to leave users vulnerable to phishing attacks, Apple made that choice, and we're arguing that because they made that choice they have no excuse to also engage in vendor lock-in.

[altairprime]

As far as I know, Apple requires iCloud password and PIN entry on an Apple hardware device being paired to iCloud to access Keychain data, and tends to block Apple devices by hardware ID when they’re associated with bulk login attacks. The attacker surface for phishers is exorbitantly expensive, since they’d need to have a shipping container full of iPhones to even begin harvesting credentials, assuming that they could convince users to turn over their iCloud password (which half of my friends don’t even know).

This is how vendor lock-in allows protections against phishing that a naive data export would bypass. No one has yet suggested how this level of protection can be offered to end users without lock-in, across many such posts and threads, for many years now. I remain hopeful that there’s another way, but I’m not going to demand Apple do insecure exports at the expense of users in the meantime.