FIDO Alliance publishes new spec to let users move passkeys across providers

I came across an opinion I largely agree with: https://mastodon.social/@lapcatsoftware/113308133338196824 and https://mastodon.social/@lapcatsoftware/113308273654667583

> These big tech companies will do anything possible to prevent users from ever actually being able to access their own passkeys.

> Export and import should have been extremely simple. Instead, they took years to come up with some convoluted system where the only possibility is to transfer from one vendor lock-in to another vendor lock-in.

> With passkeys, the big tech companies are executing a coup d'état of authentication, just like they did for HTML itself.

> In the end, they control every protocol, become the gatekeepers for the web.

This is an exceptionally cynical take. WebAuthn is an open standard; this new credential transfer spec is the opposite of “big vendor lock-in”. It’s standardising the export-import.

Standards are slow and expensive to create and evolve. They involve endless meetings, discussion and design. However, the outcome is freedom.

The idea that this should have been “extremely simple” is just standard hubris.

> This is an exceptionally cynical take.

> However, the outcome is freedom.

This is an exceptionally naive take.

> The idea that this should have been “extremely simple” is just standard hubris.

Why? Export-import of passwords is extremely simple and can be done with copy-paste or CSV. The only thing preventing this with passkeys is the paternalistic idea that users of passkeys should not be allowed to access them directly.

> The only thing preventing this with passkeys is the paternalistic idea that users of passkeys should not be allowed to access them directly.

This is, of course, also the thing that makes passkeys uniquely unphishable.