FIDO Alliance publishes new spec to let users move passkeys across providers

Does this include a way for a technically-savvy user to 'repatriate' their passkeys into their own infrastructure? (i.e. If I want to be my own provider)

At a minimum we will see if KeePass is a provider that is supported; they seem to be the only pw manager in town that respect user freedom.

Can you not just set up a new passkey using a different provider (eg. Bitwarden)? It is a bit inconvenient, since it has to be done manually for every site.

A bit is understatement. If this passkeys become widespread, we are talking about like 100 sites.

There shouldn't be. Secure enclaves aren't secure if they can be copied

How does this suddenly become a problem when as the user I want access to my keys, but it isn't a problem when corporations copy my keys between them, which is what this post is about?

I would also be concerned about whether you can recover when a provider becomes unusable or hostile, and there is no cooperative migration path.

That might be the company going bankrupt, a physical or digital disaster, geopolitical firewalls, or simply a Kafka-esque bureaucracy where your entire account has been deleted without appeal because the company decided it was easier than figuring out the truth behind some moderation issue.

If you go for passkeys, start putting them in your own provider from the start? Vaultwarden is a nice option.

Secured against who?

I have over 500 logins in my Bitwarden account right now. Many of those are not important in the least, but hundreds of them are.

So you are against this new spec becoming a standard then?

KeepassXC already supports passkeys

The exchange spec suggests that the sending secure enclave sends encrypted credentials to the receiving secure enclave; they're never unwrapped in public between 'trusting' enclaves; which enclaves will trust each other enough to perform the credential transfer is another question.

That seems scary, I think I’d rather move them over one by one and delete the old passkey/2fa. I want to make it as hard as possible to keep them from being moveable as that’s one less attack point for hackers.

In that case, the keys would be a non-starter. The overwhelming majority of tech requests relate to people forgetting their passwords and getting in trouble because the browser's password manager forgot the password itself.

The reality is that the biggest pushers of Passkeys are the providers with the least amount of infrastructure stability. If you want people to get to use Passkeys, providing an exit tool from Google and Apple is a must, because both providers are godawful at not accidentally mushing up your data. That's not so important if all you're using their infrastructure for is a periodic backup/use it to transfer photos to your PC, but it's a problem for anything that has to be stored long-term.

Passkeys and secure enclaves are only loosely related. You can implement one using the other, but it’s by no means a requirement.

And even when they are, nothing says that secure enclaves can’t have importable or exportable keys. Many schemes do both on a regular basis.

I'm curious if you count Pass (https://www.passwordstore.org/) as not being "in town" or if it has issues with user freedom that I'm ignorant of.

Eh I should’ve qualified with pw managers that support passkeys.

Any exit tool just becomes the latest focus of phishers and credential stealing malware.