[SheinhardtWigCo]

> "Please share your passkey with us for authentication by going to your device's settings and selecting the 'export passkey' option"

This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

> Exporting a passkey leaves no relying-party-side traces.

Not if it's only useful for getting a device-bound session token. Everything you listed is already commonplace.

[jesseendahl]

>This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

Exactly, that's the problem lxgr is pointing out. Those six-digit codes can (and often are) phished by e.g. tech support scam attackers. lxgr is pointing out the same exact attack could be done against an exported passkey.

[hedora]

So you’re saying this phishing attack:

We have to rename and re-enroll your device token so your laptop can still log in.

Click “I registered this credential” when you get the alert about it so your old credential that you added before will still work.

Is harder to pull off than:

Go to your password manager and export the entire database locally stored passwords. Now, print it out and read this 200 character string to me over the phone, or just email the file to me.