[darknavi]

> nobody wants to allow plaintext export of passkeys.

While noble, why? 1Password exports a plaintext file that has all of the credentials in plaintext already.

[xg15]

I guess "100% secure against phising" is incompatible with "the user can in any way access the key" because if you knew the key, in theory some super-convincing phishing site could get you to spill it.

I still think the real reason is lock-in, but I could imagine this is their official justification.

[bobbylarrybobby]

Given all of the horror stories (some real, some hypothetical) told in this thread, it seems that one of the major side effects of passkeys — if not the primary purpose — is to keep you locked into whatever you used to create your passkey. Plaintext export would ameliorate that.

[mplewis]

Because passkeys are supposed to be a bit more secure than plaintext passwords.

[wutwutwat]

Passkeys are supposed to eliminate the need for companies to store a password so we no longer have to deal with the fallout of 40 breaches a year. In order to export passkeys it has to be in plaintext at some point, even if encrypted once again into the export file. Point is, one of the huge selling points of pushing people to use passkeys is the portability and lack of vendor lock in yet here we are with choices that are all currently vendor lock in.

[hedora]

Computer security is generally defined as Confidentiality, Integrity and Availability.

Not “or”. Passcodes don’t provide availability, so they are not providing security.

This is undergrad-level stuff.

[afiori]

This sounds a bit like "a turned off computer is the only secure computer"

[veeti]

Because in this brave new world you aren't supposed to own your keys, some proprietary HSM inside your device does.