[secabeen]

Are Passkeys exportable and re-importable by another service, site, or system?

I am strongly opposed to any authentication system that makes my authorization workflow for unrelated third-party sites dependent on any company whose terms of service allow them to suspend or terminate my use without reasonable recourse or recovery.

Passwords have problems, but I can print them out on a piece of paper in a fire safe.

[dwaite]

Passkeys aren't limited to cloud-synced service. Something like an existing Yubikey is also considered to be capable of creating single-device passkeys (e.g. ones which are tied to physical hardware and do not have recovery capabilities).

The expectation is that websites will allow you to register multiple passkeys, and that these may correspond to different devices. For instance, I may have both my iPad, android phone and windows desktop registered as three separate passkeys on an account.

There is a cross device flow that works across ecosystems, based on QR codes and wireless proximity. So the expectation is that websites could (if they desire) see that you authenticated using your phone onto your Windows Hello capable desktop, and ask if you want to register a new passkey from your Windows desktop to make things more convenient in the future.

Before platforms added backup to cloud sync fabric, you would lose your credentials when you lost your security keyfob or upgraded your phone. It was a user's responsibility to register additional credentials, such as remembering to go back after-the-fact to use a security key they kept at home in their firesafe to register their 'backup' credential.

This strong hardware binding made it more useful for secure environments (which typically have MFA requirements and staff dedicated to account recovery) and a lot less useful for consumer environments (which want to prevent breaches but not at the expense of additional user friction or support costs)

Web Authentication is effectively saying to let the user utilize whatever they want to authenticate, and let a relying website determine how to react to the capabilities or limitations of that choice. What is considered a capability or liability will depend on the particular deployment business requirements, and that will determine how they adapt. For example, an enterprise might decide to just reject everything except the exact security key they issued to an employee or contractor. For most other verticals, that is not a viable strategy.

[PassageNick]

You own your own passkeys on your own device, ultimately. Google/Apple/MS have no ownership or knowledge of the actual keys.

[secabeen]

Okay, can they block access to those keys and/or the the backups of them? Assume that my account is terminated or that it's compromised to the degree that I cannot re-claim access to it. Can I move those keys to my new device/system without the cooperation of Google/Apple/MS?

[PassageNick]

They cannot block access. The passkeys are actually stored on your devices in a Trusted Platform Module. When moved to the cloud, they are E2E encrypted, and the transferring platform has zero knowledge of your keys.

Currently, you cannot move them to other devices without the cooperation of some cloud service, or the like. At some point you'll have to trust someone to move passkeys between devices.