[digiown]

I do get that there are use cases for actual hardware bound keys for enterprise settings. But having non-exportable credentials (effectively non-ownable) is not acceptable in a consumer setting. This is a thinly veiled attempt at strengthening platform lock-in.

Look, the spec says you can't export the keys to a file! Too bad, go re-register your 120 websites if you want to stop using iCloud/Google!

[Groxx]

Particularly because "you must use only an approved passkey manager" is fairly easily solved by MDM, which is already widespread.

It's DRM, and it will go down exactly the same anti-user and anti-competitive route as every other DRM. Fight it with fervor.

[signal11]

Last I checked, they were working on interop so you can move your keys from one provider to another without creating CSV files or equivalent[1].

However from my PoV — if the user or an open source project wants to create CSV files, they should be free to do so. That’s part of putting the user in control.

For me, KeePass XC is the canary in the coal mine that helps me figure out what FIDO’s priorities are. I don’t have a problem with crypto around passkeys. They’re great. The non-functionals though (including shipping passkeys without good import/export) are a bit of a mess.

[1] https://fidoalliance.org/fido-alliance-publishes-new-specifi...