[cyberax]

This is straightforward illegal monopoly nightmare fuel right here. Apple passkeys are going to be locked-in into their infrastructure, with no possibility to easily switch devices.

This doesn't have to be true, there are third-party password managers with Passkeys support (e.g. BitWarden), but they are not going to be able to access Passwords. It's specifically locked to only browser applications, Apple will not provide entitlement to access the keychain for any other app.

[fiddlerwoaroof]

This isn’t true as far as I can tell: when you create a passkey on iOS, the first screen prompts for which app to use to create the passkey and LastPass, at least, implements the necessary APIs

[cyberax]

Most users will not have them installed. And once you start using iCloud for them, migrating passkeys out of it is impossible.

You can't just install 1Password later and click "Import Passkeys".

[fiddlerwoaroof]

Maybe not, but you can install 1Password later, go to the account with the iCloud passkey and use it once, then use 1Password to generate a new passkey for that account. This flow is also generally better than trying to port keys between accounts, which adds a lot of security concerns.

[cyberax]

Once you have hundreds of accounts? Yeah, sure.

[aeontech]

I might not understand the tech as well as you do, but does BitWarden have rights to read 1Password vault, or 1Password have rights to read the Lastpass vault?

Generally I thought with passkeys, the logic is that you provision one passkey per app you want to have access to a service?

Ie, I can provision a separate passkey for GitHub, for instance, both in 1Password, and in Keychain if I like, and sign in to the service with either one?

Or am I missing something?

[stouset]

You aren’t missing anything. This is exactly what you do, and it’s not even hard.

[cyberax]

BitWarden technically can read the 1Password vault on macOS, though not on iOS. Unless 1Password developer agrees to the collaboration. This is kinda expected, given the crazy locked-down iOS.

However, Apple does not provide entitlements to read iCloud Keychain even on macOS: https://developer.apple.com/documentation/bundleresources/en...

I don't believe there are easy legitimate ways to work around it. Disabling SIP (System Integrity Protection) will render passkeys inaccessible, though I'm not sure about that.

> Generally I thought with passkeys, the logic is that you provision one passkey per app you want to have access to a service?

Passkey is basically a private key that is specific for a given site. Nothing more, nothing less. So you will have separate passkeys for Hacker News, Slashdot, Reddit, eBay, etc. They will be stored in iCloud Keychain and synchronized across devices.

Apple is not going to provide easy ways to bulk-export all this data if you want to migrate to Windows. Or maybe even to switch a browser.

If you use an alternative password manager like BitWarden, your ability to export passkeys will depend on its implementation.

[lolinder]

Did you actually watch the video? OP's title is essentially made up and doesn't accurately describe the contents at all.