[SheinhardtWigCo]

You're not really vulnerable to phishing if you use a password manager with a browser extension.

Cross-platform import/export for passkeys is considered a "nice-to-have" because you can always just add a new device via other established factors (email/SMS).

So, what's the point, then? Why can't passkeys just be strings that I can extract via biometric authentication?

The answer: everyone pushing this has a significant interest in making it harder to migrate between operating systems and password managers.

It's a land grab.

[jiveturkey]

https://matduggan.com/passkeys-as-a-tool-for-user-retention/

> It is also, as currently implemented, one of the most effective platform lock-ins I've ever seen.

[lxgr]

> Why can't passkeys just be strings that I can extract via biometric authentication?

As much as that lock-in annoys me personally – I could absolutely see this become a tech support scam attack vector. "Please share your passkey with us for authentication by going to your device's settings and selecting the 'export passkey' option"...

> you can always just add a new device via other established factors (email/SMS)

That gives the relying party some agency about requiring additional authentication to add devices though, of treating devices added under dubious circumstances as less trusted, or simply of sending a security notification to the customer.

Exporting a passkey leaves no relying-party-side traces.

[SheinhardtWigCo]

> "Please share your passkey with us for authentication by going to your device's settings and selecting the 'export passkey' option"

This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

> Exporting a passkey leaves no relying-party-side traces.

Not if it's only useful for getting a device-bound session token. Everything you listed is already commonplace.

[jesseendahl]

>This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

Exactly, that's the problem lxgr is pointing out. Those six-digit codes can (and often are) phished by e.g. tech support scam attackers. lxgr is pointing out the same exact attack could be done against an exported passkey.

[hedora]

So you’re saying this phishing attack:

We have to rename and re-enroll your device token so your laptop can still log in.

Click “I registered this credential” when you get the alert about it so your old credential that you added before will still work.

Is harder to pull off than:

Go to your password manager and export the entire database locally stored passwords. Now, print it out and read this 200 character string to me over the phone, or just email the file to me.

[veeti]

Can't we just put a 100px blinking red text that says "Do not share this with anyone or it's your own fault" and be done with it?

[lxgr]

It would be great if that were actually 100% effective, but unfortunately phishing still happens despite such warnings.

In a situation where a message on a screen tells a person to do x, and a person on the phone tells them to disregard it because it’s a computer error or whatever and do y, some percentage of people will do y.

The only way to prevent that is for there to be only one option – the safe one. Sometimes that has unacceptable other implications of course; this might well be such a case.

[magicalhippo]

> In a situation where a message on a screen tells a person to do x, and a person on the phone tells them to disregard it because it’s a computer error or whatever and do y, some percentage of people will do y.

It's the human version of prompt injection attack.

[GoblinSlayer]

Rename "export passkey" to "backup passkey". Or backup whole database.