|
Bitwarden's hosted platform has a feature exactly for this use case: https://bitwarden.com/help/emergency-access/ But yes, you can export passkeys. They take this format in the backed up JSON: {
"passwordHistory": null,
"revisionDate": "2025-05-15T11:10:37.341Z",
"creationDate": "2025-05-15T11:10:37.134Z",
"deletedDate": null,
"id": "3b90b785-efb7-491b-92e8-525b446df781",
"organizationId": null,
"folderId": null,
"type": 1,
"reprompt": 0,
"name": "passkeys.io",
"notes": null,
"favorite": false,
"login": {
"fido2Credentials": [
{
"credentialId": "f167c754-5a4c-4c4a-b5e5-6faf18bde5a6",
"keyType": "public-key",
"keyAlgorithm": "ECDSA",
"keyCurve": "P-256",
"keyValue": "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgMnNsrXAHP50Glhs1vBPgCFVv3jj-nuZ9gHVRdGg2anehRANCAATtK7xFvDIn8mAOCniczaG5ytAE_eBR0kkgd5lFVahpI6tQ5U-nBAkgqvlmtObrWDNu0-RgiCgYnOLXFPEyda4j",
"rpId": "www.passkeys.io",
"userHandle": "47GTTn99QtyNUGaMFMzH2A",
"userName": "<masked against scrapers>",
"counter": "0",
"rpName": "passkeys.io",
"userDisplayName": "<masked against scrapers>",
"discoverable": "true",
"creationDate": "2025-05-15T11:10:37.645Z"
}
],
"uris": [
{
"match": null,
"uri": "https://www.passkeys.io/"
}
],
"username": "<masked against scrapers>",
"password": null,
"totp": null
},
"collectionIds": null
}
(I have deleted the account on passkeys.io so don't bother trying to hack my demo account)As for the lack of documented export options: that's kind of the point for many passkey providers. You can't export the key from a Yubikey, you can't export the keys from a smart card, you can't export the keys from an RFID dongle*, and in the same vein you cannot export the keys from many passkey providers. What you can (or at least should be able to) do, is add a backup key. That can be someone else's PC/account in case your house burns down, or a physical Yubikey you store in a fire safe somewhere, whatever mitigations you need. You could also use a tiered setup; if you use hardware tokens to sign into your relatives' Apple/Google/Microsoft/1Password account, you can in turn use their cloud tokens to sign into whatever services they use. That way, you hand out some trust to their authentication provider, but in exchange managing physical backup keys becomes a lot easier as you don't need to open your safe every time you create a credential for an important website. You can use such a physical recovery key even if your relative prefers to log in with username+password. |
On the flip-side, backup keys are not a solution for me in this instance. The model being proposed is one where we have hundreds of passkeys in our vaults, one for each service. I don't want to spend time setting up a backup key on every service; I want the ease of use of just hitting "use passkey" on a new site and having it all work. I just also want a 100% reliable backup option that has no dependency on any service, vendor-specific system or anything. Essentially, I want a backup that my grandmother could hand to a local kid with tech skills, and be able to get into my account(s) while sitting together at her computer.