| Exporting is purposefully made impossible in many implementations of Passkeys (aka Webauthn authenticators) other than Apple's. For example, Yubikeys are designed so private keys can never leave the authenticator [0]. Enabling the export of private keys from an authenticator greatly increases the attack surface of an authenticator. This is a long-standing security/usability tradeoff in the Webauthn spec. Various solutions have been proposed, but as far as I know most of them are still just drafts, e.g. [1]. The best practice has been and, as far as I know, continues to be to register multiple authenticators, e.g. a primary and a backup authenticator. This practice has a variety of benefits: 1. Avoids lockout if an authenticator is lost. 2. If you use multiple authenticators from different vendors (e.g. Yubico and Google) you: 1. Avoid vendor lock-in 2. Can rapidly respond in case a security vulnerability is discovered in one of your authenticators, as has occurred for both Yubico [2] and Google [3]. One could use Apple's Passkeys as one's day-to-day "personal" authenticator, and use an authenticator from a different vendor (e.g. Yubico Yubikey or Google Titan Security Key) as their backup key. I don't see how Apple's implementation increases the risk of lock-in beyond that of any of the other major Webauthn authenticator providers. [0]: https://github.com/w3c/webauthn/issues/865#issuecomment-3804... [1]: https://github.com/Yubico/webauthn-recovery-extension [2]: https://www.yubico.com/support/issue-rating-system/security-... [3]: https://security.googleblog.com/2019/05/titan-keys-update.ht... |