[hiatus]

Can you expand on the vendor lock aspect? I have stored passkeys in my password manager, so they feel pretty portable to me. Is it that each service requires a unique passkey? That seems comparable to how each service would require its own TOTP seed.

[supportengineer]

Your password manager came from a vendor. As a thought exercise, switch vendors.

[EnPissant]

Bitwarden exports include passkeys.

[dboreham]

Have you actually tried exporting a passkey and importing it into another manager, then successfully authenticate with it?

[coldpie]

KeepassXC lets you export the private key, which you can then back up or import into another KeepassXC instance. I have tested this, it works. I even shipped my exported private key off to a friend in another state and he was able to import it into a KeepassXC instance and log in to my account. Presumably another password manager could support importing the data, as it's just plaintext, though I don't know if any do.

Unfortunately the spec authors think this export feature violates the spec and have threatened KeepassXC with being banned by authenticating websites[1]. This explicit support from the spec authors for client banning makes passkeys non-viable to me. The websites I log in to should not be able to restrict what clients I choose to use to manage my own data.

[1] Spec author writes, "To be very honest here, you risk having KeePassXC blocked by relying parties. ... (RPs [may] block you, something that I have previously rallied against but rethinking as of late because of these situations)." https://github.com/keepassxreboot/keepassxc/issues/10407

[timeflex]

Furthermore, they "heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers."

Basically, do what we say or expect us to have our corporate sponsors write bad press about your security.

[EnPissant]

Just having the data exported is peace of mind for me. It's trivial to import or convert to another format (even if not implemented now), so the worst-case scenario is acceptable, especially considering how much better Bitwarden + Passkeys are to every other form of authentication.

[cyberax]

BitWarden is OpenSource. I did try importing the export using my own hosted BitWarden server, it worked.

[koakuma-chan]

https://blog.1password.com/fido-alliance-import-export-passk...

[recursive]

> we have no interest in creating a walled garden or locking you into 1Password.

They have no interest... in collecting subscription fees? I'm a satisfied 1Password customer, but it's hard to take this claim seriously. What does it mean? They literally get paid. Isn't that the definition of an interest?

[koakuma-chan]

Maybe they can get more customers by being based.

[dataflow]

I think you're thinking of incentive not interest. Like how you can have incentives to steal from the supermarket, but still have no interest.

[recursive]

I'm thinking of another definition of "interest". e.g. "have an interest in"

[Steltek]

From the article:

> But how can websites know whether its users are using secure authenticators? Authenticators can cryptographically prove certain facts about their origins, like who manufactured it, by generating an attestation statement when the user creates a passkey; this statement is backed by a certificate chain signed by the manufacturer.

How many scummy companies trot out "Let me protect you from yourself" to justify taking away their users' freedoms?