[teekert]

Ah but why are they better than classic credentials then? I thought they were device specific and thus "2fa build in". I thought you'd have to approve every new device from an existing one? But indeed I never saw that in action...

[recursive]

Because you can't export them.

[teekert]

Pretty sure I could with VaultWarden. For Proton indeed it seems to be an open issue. In theory it should be doable right? It's not like "impossible because of the spec" or something?

[xmgplays]

The difficulty of exporting them is kinda the point(sorta). The benefit of passkeys is that the average user is less likely to hand them over to a scammer, because they literally can't/don't know how, whereas everyone and their mother knows how to give a scammer their password/username and the funky numbers in the email they just got.

[recursive]

> It's not like "impossible because of the spec" or something

It could be, but I don't know if it is. One of the design points is that they are cryptographically un-phishable or something to that effect.

The ability to export directly conflicts non-phishability, at least in theory. I've heard conflicting information about what precisely is allowed or possible.