This is pretty FUD-y, @protonprivacy. Most people online don't use any third-party password managers, so it's been important for Apple and Google to get the passkeys experience right with their own password managers for sake of mass adoption. And syncing between operating systems is challenging, but being worked on right now.

Why not use your launch of passkeys support to celebrate the benefits of passkeys instead of making it look like you're the only ones to "do passkeys right"?

@iamkale I'm going to play devil's advocate here: they're not really _wrong_ though (and neither are you).

Recent history shows that Big Tech doesn't like inter-operability where it hurts user retention in their ecosystem.

We saw/see this with password managers (ex: can't export Keychain from iOS alone - you need a Mac) and TOTP apps (Microsoft authenticator doesn't have a formal export function, you have to use the backup work around.)

Additionally, and rather anecdotally, I still wouldn't say we even saw mass adoption with password managers or more secure MFA (TOTP) from Big Tech efforts either.

So many people don't use the password managers bundled with iOS/Mac or Android/ChromeOS. Even if they do, they're still reusing passwords, defeating the purpose.

@timcappalli Are they?

Are we sure it's not just cloud sync for that vendor's platform? Ex: Apple to iCloud and Google to Google Drive?

Last I heard/read was that users would still have to create another passkey for new "custodians."

https://fidoalliance.org/passkeys/

@timcappalli We wouldn't know until they actually roll it out to be fair, I am just spitballing considering the closest thing I can think of to something similar we have now are ssh keys.

In theory custodians could never allow an unencrypted export of the key per protocol, who knows.

Edit: Meant to say I use Bitwarden so it is a non-issue currently.

I find this argument a bit problematic. Just because software like @Team KeePassXC gives users control and choice over their passkeys, which Apple / Google / ... currently don't, doesn't mean they are irresponsible. From what I can tell KeePassXC devs were not involved in the discussions around transfer of passkeys.

Big tech wanted to get passkeys into user hands, which is a great thing, as are passkeys in general. But the statement that it is somewhat of a lock-in situation currently is not false.

And finger-pointing at software that does give users the option to transfer passkeys at their desire is not helping I think. Especially when that aspect has not yet been standardized.

If transfer can happen in encrypted form, that is clearly preferable. You filed https://github.com/keepassxreboot/keepassxc/issues/10407 which is a good thing. The discussion shows however, that the way the debate was going on so far was not ideal.

#passkeys #security #passwordless

[Passkeys] should never be exported in clear text · Issue #10407 · keepassxreboot/keepassxc

Overview Passkeys should never be allowed to be exported in clear text. There is significant work going on across the industry on a secure migration protocol for credentials like passkeys. Please c...

^GitHub