[lapcat]

> You're quoting the first post of a long discussion

"You absolutely should be preventing users from being able to copy a private key!" is the 8th post in the discussion.

Do you stand by these words, or are you now repudiating them?

> You're choosing to use an app that doesn't meet your needs

I am using an app that meets my needs. I don't need passkeys. It's just other people telling me that I need passkeys.

[timmyc123]

Copy and paste in clear text? Yes, I don't think that's a good idea. Download to disk in clear text? Yes, I don't think that's a good idea.

Years and years of security incidents with consumer data show that this is a really bad idea.

At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.

[lapcat]

> At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.

It feels like this stated minimum is not your actual minimum.

Consider for example a macOS user keychain. The keychain is encrypted on disk with a user-selected password. But once you unlock the keychain with the password, you can copy and paste passwords in clear text. The keychain is not a black hole where nothing ever escapes. And I have no objection to this setup; in fact it's my current setup.

So when you say copy and paste of passkeys in clear text is not a good idea, there's nothing inherent to encrypting credentials with a user key that prevents such copy and paste. There would have to be some additional restriction.

[pseudalopex]

> At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.

What should happen if the developers refuse to enforce this?