[ganbatekudasai]

If that is ever the case, which I honestly think is doubtful (though I could be wrong), given that it's an open standard, I don't think there's anything preventing people from writing a passkey implementation that saves the secret key material in a plain file or anything similar. It likely already exists.

[Arnavion]

Sure, but that works for passwords because you can copy-paste them from an external program. The WebAuthn API in question is built around using JS in the website's context to manipulate the passkey. [1] You have to hope that the browser gives a way for an external program to be involved in that JS API's implementation.

Looking at KeepassXC's WebAuthn WIP implementation, it works by injecting JS into the website context that overrides the default JS API to its own implementation instead. [2] I don't see any API in the chrome extensions docs [3] that could be used to customize passkeys, so I assume 1Password's passkey implementation (mentioned in other comments in this thread) does the same thing. I sure hope the browsers don't decide to crack down on it by making the API uninterceptable in the name of security.

[1]: https://web.dev/passkey-registration/#call-webauthn-api-to-c...

[2]: https://github.com/keepassxreboot/keepassxc-browser/commit/4...

[3]: https://developer.chrome.com/docs/extensions/reference/

[varjolintu]

Browsers should definitely give developers an open API for WebAuthn/Passkeys instead of relying on dirty inject hacks. For now, injecting is the only way to get it to work. Unless you modify the password manager itself to disguise itself as an USB authenticator device.

[pas]

use a browser that honors user freedom

the whole problem boils down to this

this thread is full of people already anxious of this new thing because they rightfully see this as one more step toward total loss of user control/freedom (which wouldn't be if people trusted their browser vendor, etc)

[Arnavion]

Which browser lets arbitrary processes plug into the passkey JS API?

(I do use a browser that respects my freedom - firefox. Well, firefox with lots of user.js overrides. But the choice of passkey usage is up to websites, not the browser, so the answer can't be "Don't use websites that require passkeys.")