[sebk]

WebAuthn lets RPs reason about the strength and capabilities of the authenticator at registration time. With a mechanism like a shared file format and standard ways of transferring them, those mechanisms would be undermined. With hardware-backed multi-device Passkeys, the entire sync fabric becomes the authenticator. Apple and Google currently zero out attestation data, but you can imagine a scenario where attestation data matching the device is presented for single-device passkeys and DPK, but a different attestation key is used for multi-device passkeys that represents the entire sync fabric.

Instead, with all these password manager vendors not wanting to be left out, and a good portion of the userbase either not being entirely in a single vendor's ecosystem and not wanting to deal with the hassle of QR codes and registering each fabric in each RP, or simply distrusting the big vendors like we see here in this thread, I can see cross-platform virtual authenticators like the one you're working on becoming more common, and I don't think it's unlikely that the OSs will offer APIs to back these keys with TPMs/Secure Enclaves, and will allow you to replacethe built-in passkey manager with a third-party, much like they do with password managers today.

If software-based authenticators want to support import/export capabilities, they don't quite need an open standard, in the same way there isn't one for passwords but you can import/export passwords with any major password manager.

[cmdli]

This is something that I think is a bit of a security tradeoff. Hardware-based keys are absolutely more secure than software ones, but they come with significant usability limitations. I worry that if RPs restrict themselves to only hardware-based keys, then that will kill adoption of passkeys in general and we will be stuck with passwords. Software passkeys are already a significant security upgrade to passwords, and so I would like to see them gain adoption.

In my ideal scenario, users would be able to use software passkeys for most websites, and then have hardware authenticators either for the vault of software passkeys or directly for a few key websites.

[sebk]

Yeah don't get me wrong, I wasn't disagreeing. I think the lack of interoperability is a major risk to adoption, but I also understand why we don't have interoperability today and why we likely never will.

What I'd like to see password manager vendors like you do, though, is to push FIDO and the OS vendors to have richer APIs for interacting with the hardware components that can back keys. To be clear, I don't want to use Bulwark to manage or export passkeys in my iCloud Keychain (I'm confident that will never happen), but I want Bulwark to be able to create a passkey that is backed by a secure element in Mac OS, and then be able request a wrapped version of that key to be exported, and later imported into a TPM running on a Windows OS.

[JeremyNT]

> I can see cross-platform virtual authenticators like the one you're working on becoming more common, and I don't think it's unlikely that the OSs will offer APIs to back these keys with TPMs/Secure Enclaves, and will allow you to replacethe built-in passkey manager with a third-party, much like they do with password managers today.

It seems like you know more about this space than I do, so maybe you can explain it to me. What incentive do players like Apple and Google have to allow this to happen? Don't all of their incentives point to eventually requiring attestation from trusted hardware devices and increasing lockin?

[WorldMaker]

You can't export hard TPM keys so attested keys become recovery bottlenecks in the user experience. Sure, that's a potential moat to prevent people as easily jumping between walled gardens, but it's also a moat that accidentally can just make your users unhappy if they end up in an unhappy path in your walled garden. People lose devices and need hard recoveries all the time. If they can't get past the moat, they are just as likely to jump to your competitor anyway if they are "starting over".

For what it is worth, Apple has recently stated that they don't see a lot of day-to-day need for hardware-attested keys and their Passkeys implementation is working to avoid them in most cases in practice, in large part especially due to that user experience of preferring comfort and recoverability over lock-in.