[hedora]

Here's a great github discussion about passkey plaintext exports.

Apparently, the FIDO alliance is considering adding an attestation feature that would allow websites to block various passkey implementations:

https://github.com/keepassxreboot/keepassxc/issues/10407#iss...

e.g., they could block ones that allow exports, or they could block ones that are FOSS. To their credit, it looks like Apple's throwing their weight around to prevent such blocking from being technically possible.

The more I hear about this standard, the more concerned I become.

[TheNewsIsHere]

I expect Apple's focus on privacy (whether you wish to believe that is for marketing, or real) is at play here. While passkeys don't really work as a tracking mechanism, you could do some profiling based on attestation. I am sure Google would love for you to use passkeys and be able to control what devices those are used on, and know about what devices you have. "Oh you want to sign into YouTube? Are you really on an iPhone, or are you pretending it's an iPhone?"

I use AAGUID attestation for Yubikeys at work, but that addresses an actual security need to enforce known authenticator types and prevent enrollment of non-hardware tokens.