> What happens if my PC goes down and I couldn't export my data? I just can't log in anywhere?
Then you follow the procedure you would follow for when you'd forget your password. Probably a password reset through email, maybe calling customer support. Or if you have it set up, you could use the passkey set up on your phone or Yubikey or whatever to log in and create a new password on your new PC.
Passkeys aren't passwords, that's the whole point. It's modelled after the "something you have" factor, not "something you know". If you're finding workarounds to violate the security design, you're not gaining any advantage by using passkeys. Just use a password if you want to use a password.
The trouble is, if websites are allowed/encouraged to ban clients, then the advantages you're talking about come with the downside of hard-tying yourself to one of 3 US-based Big Tech companies, because those will be the only ones who will ship clients declared "secure." That's not a trade-off I'm willing to make for something as critical as my service logins. You can already see this happening, almost every article talking about passkeys assumes you're logging in with an Apple, Google, or Microsoft device.
> Then you follow the procedure you would follow for when you'd forget your password. Probably a password reset through email, maybe calling customer support.
This is a downgrade from passwords (and exportable passkeys), where I can just restore it from a backup.
> Just use a password if you want to use a password.
Yeah, that's what I plan to keep doing, unfortunately. What I'm worried about is a password-less future where that's no longer an option and we all have to submit to using one of Android, iOS, or Windows to log in to everything because those are the only clients that can be trusted(TM) to handle the user's data as the big tech companies and governments desire it to be handled. This is a dark future.
Remote attestation is evil.
I read as much about it from the official sources as I could about a year ago, so I might be wrong here. From what I remember even though no specific mention of Android or iOS attestation was made, a "strong" form of 2FA is needed. Stronger than TOTP.
In my country most banks I talked with require a mobile app for 2FA even if you're logging in from a desktop browser. I haven't (and will not) install a banking app on my phone, so I'm not sure if it would work if the phone doesn't pass the attestation (e.g., Play Integrity on Android). I wanted to install the app in an AOSP VM, but no bank would even send me the apk file - they all want me to download it from Google for some reason.
Another option was to pay for a hardware device from a third-party company.
I was lucky that one bank still uses SMS 2FA. It's weaker than TOTP (depending on your threat model, I guess), but I prefer it.
My other option is either to:
* have a smartphone;
* have an "approved" OS from an American company;
* have an account with said American company so I can download the app from the company's repository;
* run closed source software on my smartphone.
or to
* pay for a USB device from a third-party company;
* that barely works with Linux;
* that requires a closed source program to run;
* that doesn't work with VMs and troubleshooting was a pain (I tried).
What I want is to use TOTP. I would actually store the secret on another device, as I'm not opposed to the idea of 2FA in general. And I would be fine if my money were drained as a result of me being hacked. If I had millions in my account, I could just use a separate computer only for the banking, but still a computer I chose.
Online banking (a superset of "mobile" banking) is very important for a person to have in order to participate in society. The ability to choose what hardware and software to use is also very important. The ability to not associate oneself with third-party companies, to accept their ToS and to pay them money is also very important. Therefore, I think those things should be my rights. I'm not complaining about a gym or a pizza place requiring a mobile app here, after all.
[0] https://en.wikipedia.org/wiki/Strong_customer_authentication
MFA is more secure: you combine multiple factors of authentication. You could do password + passkey, password + TOTP token (assuming such tokens are not exportable either), password + biometrics, passkey + biometrics, even TOTP + biometrics would be MFA.
I don't think anyone proposes replacing MFA with passkeys, most proponents are proposing replacing passwords with passkeys.
A second question is "is MFA still necessary when using passkeys", as passkeys are generally more secure than the Welcome1234! type passwords most people use. I'd argue that for quite a few non-critical services, it wouldn't be. More and more services have started requiring 2FA because the damage of accepting passwords alone was too great, and with passkeys I don't believe the same damage would occur.
It'd still be a good to offer the option. In fact, I think passwords should be offered as a second option; combining passkeys with something like TOTP would be close to useless as the same thing you use to validate the passkey probably also generates the TOTP codes.
Amazon actually does MFA with passkeys: you can log in with a passkey but it'll still ask you for a TOTP code. I'd rather combine password and passkey, but at least they're not completely turning off the additional layer of security.
The threat he relayed was more serious than the threat he made. But it is a threat when a person with influence suggests they may support a punishment.
> If you promise to store a key in a non-exportable format
There was no such promise. The people who wish Passkeys to replace passwords did not demand it yet even.
The specification states otherwise: https://www.w3.org/TR/webauthn-2/
A credential private key is the private key portion of a credential key pair. The credential private key is bound to a particular authenticator - its managing authenticator - and is expected to never be exposed to any other party, not even to the owner of the authenticator.