[shmerl]

Passkeys are advertised as more convenient form of private / public keys approach. So how is that any different from other usage of private keys which are considered long term secrets? Incompetent users can compromise them now too.

It doesn't mean it should be easy to do, but it's also completely unacceptable to make a requirement like "users are forbidden to access their private keys".

> by anyone at all

What do you mean by anyone at all? By the owner of the private key. Not by anyone.

[amluto]

> What do you mean by anyone at all? By the owner of the private key. Not by anyone.

If I log into my computer and turn my private key into a plaintext blob, as a file or a Python object or something on a USB stick or a QR code that I photograph, then anyone who happens to have compromised my computer at the time has my public key, too. Even if I subsequently fix the compromise, they still have my public key.

I do not want this to happen.

[csande17]

IMO one of the biggest issues with the Passkey spec is that it doesn't provide a way to automatically rotate credentials. The entire security model relies on Apple/Google/[insert name of nonprofit they end up allowing through the DRM gates to avoid antitrust suits] being completely infallible, forever.

[shmerl]

That's why normally private keys (like when used with ssh for example) are paired with something like a passphrase that should offer an additional layer of protection. But still, you (the owner of the private key) can access it. You should keep both your key and your passphrase secret. Not sure what passkeys are doing about it, but I still don't see any valid reason for the owner not to have full access to the key.

If someone has sufficient access to your computer (like being able to keylog and stuff) - it's somewhat late to worry about keys being compromised.