[zacharyvoase]

I see a few obstacles with Passkeys as-implemented:

* They effectively entrust the keys to your entire digital life to (right now) either Google or Apple. Account compromise, or a ToS-related suspension, becomes catastrophic.

* Domain changes happen (acquisitions, rebrands, etc.), and there is no way to share or migrate passkeys between domains. Right now the best you can do is a highly manual process involving the user authenticating on the old domain, registering a new credential on the new domain, and somehow linking them. This process itself could be highly vulnerable to interception, since every site would likely have to build a bespoke way of doing it.

* There's no way to migrate your passkeys between ecosystems. So if you're an iPhone user, and all your logins are iCloud Passkeys, it becomes really hard to switch to Android.

* Password-sharing is regrettably used a lot right now, but it's the simplest thing that works. For example, I and my husband have a shared 1Password vault for things like utility and streaming account logins. Right now none of the Passkey syncing providers support anything like that (and I feel like they won't, because it'd be a huge vector for scams).

I think the password is going to stick around until these issues are addressed.

[barkerja]

> There's no way to migrate your passkeys between ecosystems.

The FIDO Alliance doesn't recommend that you migrate Passkeys, but instead, you have multiple passkeys across various platforms for the same "login".

See the following talk on this very thing: https://www.youtube.com/watch?v=SWocv4BhCNg

[danShumway]

The FIDO Alliance can recommend whatever they want, but making multiple passkeys is not a substitute for import/export. It's a backup strategy for what happens if a device gets lost, it doesn't make it any easier to set up new devices.

Backup is an orthogonal problem to migration, and it's really weird that the FIDO alliance keeps treating them like they're the same problem.

You're still looking at a scenario here where if you buy a new phone without any passkeys on it and it's in a different ecosystem, you have to manually migrate every single site you have an account with. That's a huge accessibility problem for ordinary people, that's absolutely going to hinder adoption.

[WirelessGigabit]

To make matters worse, I don't even know on which websites I have my YubiKey registered.

I just checked mine, and it shows my Microsoft credentials and NVidia.

But I know for a fact that I also use it on Vanguard and BofA (which doesn't support keys on iOS in case you're wondering).

So I 1) cannot extract the masterkey from my YubiKey and move it to another one to make an exact duplicate 2) cannot discover the places where I registered my key

For SSH you can have a 'sk' key and a normal one [0]. I went with the normal one and moved it into the YubiKey, at least that way I have a backup sitting SOMEWHERE.

[0] https://cryptsus.com/blog/how-to-configure-openssh-with-yubi... (not affiliated at all)

[willio58]

> They effectively entrust the keys to your entire digital life to (right now) either Google or Apple.

Yeah this seems like a big one. Of course password managers will add support too but that isn't an actual solution since those often cost money and require extra effort on the user's part.

Part of me feels this needs to be legislation that requires tech companies to settle on a standard that works cross-browser cross-device. I imagine something like the EU's recent moves to force Apple to support USB-C could work well here.

[PassageNick]

The problem with legislation like this is that it eliminates the possibility of better solution.

What happens if someone invents a better interface than USB 3.0?

Or better, why would anyone bother when a better interface couldn't be used?

[yoshuaw]

> Right now none of the Passkey syncing providers support anything like that (and I feel like they won't, because it'd be a huge vector for scams).

Within the Apple ecosystem Passkeys can be shared with contacts through AirDrop (no other methods are presently allowed). The Passkey is then copied directly from your Keychain to your contact’s Keychain.

[josephcsible]

Yep, and this is the worst of both worlds. You don't get the security benefit you would if the keys were stored in non-exportable hardware, and you also don't get the freedom to move them to a different ecosystem.

[goalieca]

1Password does have passkeys in the works. https://www.future.1password.com/passkeys/

[danShumway]

Does 1Password have a solution planned for migrating to other password managers? Can I migrate my "logins" from Android to 1Password in a single action (as opposed to going account-by-account and adding a new key)?

Being tied to 1Password is better than being tied to iOS, but it's a far cry from real portability.

[goalieca]

https://support.1password.com/export/

[danShumway]

This doesn't mention anything about passkeys though, only traditional password fields and one-time-passwords. I'd love to see some confirmation that their passkey implementation is going to include the same support.

[maccard]

1Password doesn't support passkeys, so their documentation isn't going to mention this.

[danShumway]

Right, the question is: given that 1Password is adding support for passkeys (https://www.future.1password.com/passkeys/), are they going to support exporting them once they are a passkey provider?

I don't see any indication that they are. If they don't plan to support exporting and importing into other ecosystems, then I would argue that their implementation is not portable. I would say that zacharyvoase's concern is still valid in that scenario:

> There's no way to migrate your passkeys between ecosystems

[no_time]

Is 1password part of the cartel or is the spec open enough to run my own passkey sync infra like they do? I cant tell from these docs