[lapcat]

> This is not true - Safari also supports passkeys managed by third-party password managers.

I think you know what I meant and are just being pedantic here for no good reason.

Do you think I'm unaware of 1Password? I don't want to use 1Password any more than I want to use iCloud Keychain.

Technically, pendantically, Safari "supports" anything that third-party Safari extensions support. I'm a Safari extension developer myself. But this is totally different from how Safari supports the use of passwords, which is all built in, requires no third-party software, can be local-only, allows plaintext export/import, etc.

> This will change: https://1password.com/blog/fido-alliance-import-export-passk...

This is literally what I meant by the so-called "secure credential exchange" in my previous comment.

[unsnap_biceps]

Reading the cfx spec [1], the raw private key is exported as a base64 encoded der. I don't understand what your concern is here. It appears that any cfx export file is not tied to a specific service to service import path, but can be imported into anything, or just used locally with self written tools.

1. https://fidoalliance.org/specs/cx/cxf-v1.0-ps-20250814.html#...

[lapcat]

This is merely the exchange format between credential providers, which is encrypted and gatekeeped by the credential providers. None of this is exported to users.

[jmsgwd]

OK I see what you mean. Having the ability to switch between vendors but not the ability to export your data locally (e.g. as plaintext keys) is a new meaning of "vendor lock-in" I hadn't considered before.

[lapcat]

Yes. User freedom is not all-or-nothing. There are degrees, and the tech companies are coming up with fiendish new ways to lock away your data from you. So in the case of passkeys, you can technically move your data between vendors, though that can be quite inconvenient as the submitted article mentions, but nonetheless every vendor locks away your data from you, and most vendors have a financial incentive to keep your data away from you, so that you have to pay for the services.

[jmsgwd]

Once "secure credential exchange" becomes supported by commercial credential managers, what's to stop someone implementing an open source password manager that implements the standard and allows local export in plaintext?

[pseudalopex]

Passkeys relying parties can block providers. Tim Cappalli threatened the KeypassXC developers so.[1] The restrictions demanded now do not restrict user freedom significantly arguably. But the incentives and capabilities are clear.

[1] https://github.com/keepassxreboot/keepassxc/issues/10407#iss...

[jmsgwd]

OK but you'd still be able to use the open source "password manager" to export the keys - which solves the issue lapcat raised in this thread - even if relying parties blocked it for authentication, which would be a separate issue.

Someone could develop a "passkey export tool" purely for the purpose of doing credential exchange then local export.

Or are you saying the credential exchange process itself could block providers?

[pseudalopex]

You misunderstood lapcat I think. They wanted Passkeys stored locally exclusively. And they wanted to be able to use them. The issues are not separate.

[timmyc123]

Hi, Tim Cappalli here.

Not sure how stating that my (an individual) opinions on a topic are evolving is interpreted as "threatened the KeypassXC developers".

If you've been following along, you'll have seen that I am actually one of the biggest advocates of the open passkey ecosystem, and have been working really hard to make sure all credential managers have a level playing field.

Always happy to chat directly if you have concerns!

[pseudalopex]

The threat you relayed was more serious than the threat you made. But it is a threat when a person with influence suggests they may support a punishment.

The biggest advocates of an open ecosystem say attestation should be removed and no one should adopt Passkeys before. Is this your position now?

The concerns were clear I thought. I would be happy to discuss this publicly.