undefined | Better HN

0 pointsjoshstrange3y ago0 comments

> Knowing apple they're going to be another avenue to lock in.

I mean it's just Webauthn under the hood, I'd bet money you can export them from keychain into another tool like 1Password or similar.

0 comments

thebitstick3y ago

Time to pay up! Exporting is impossible on Apple's implementation of Passkeys. Even exporting your entire keychain of passwords doesn't result in any WebAuthn keys, just standard passwords. Tested on macOS 13 and iOS 16 betas. I sincerely doubt this will change with the official releases. Google's implementation is probably the same. Microsoft hasn't done a thing yet to support passkeys besides what Edge and Windows Hello do.

joshstrangeOP3y ago

Interesting, I’m not running the betas and I searched a bunch before I posted and couldn’t find it mentioned one way or the other. I hope that changes sometime in the future, though I only use 1Password anyways.

> Time to pay up!

What’s your favorite charity?

scrollaway3y ago

> What’s your favorite charity?

Not GP but the EFF is the charity most likely to help successfully push for changes here :) I am sending them 50 bucks in your name. Care to double it?

1 more reply

garrettr_3y ago

Exporting is purposefully made impossible in many implementations of Passkeys (aka Webauthn authenticators) other than Apple's. For example, Yubikeys are designed so private keys can never leave the authenticator [0]. Enabling the export of private keys from an authenticator greatly increases the attack surface of an authenticator.

This is a long-standing security/usability tradeoff in the Webauthn spec. Various solutions have been proposed, but as far as I know most of them are still just drafts, e.g. [1]. The best practice has been and, as far as I know, continues to be to register multiple authenticators, e.g. a primary and a backup authenticator. This practice has a variety of benefits:

1. Avoids lockout if an authenticator is lost.

2. If you use multiple authenticators from different vendors (e.g. Yubico and Google) you:

1. Avoid vendor lock-in

2. Can rapidly respond in case a security vulnerability is discovered in one of your authenticators, as has occurred for both Yubico [2] and Google [3].

One could use Apple's Passkeys as one's day-to-day "personal" authenticator, and use an authenticator from a different vendor (e.g. Yubico Yubikey or Google Titan Security Key) as their backup key. I don't see how Apple's implementation increases the risk of lock-in beyond that of any of the other major Webauthn authenticator providers.

[0]: https://github.com/w3c/webauthn/issues/865#issuecomment-3804...

[1]: https://github.com/Yubico/webauthn-recovery-extension

[2]: https://www.yubico.com/support/issue-rating-system/security-...

[3]: https://security.googleblog.com/2019/05/titan-keys-update.ht...

j / k navigate · click thread line to collapse