Apple Previews Passkeys Credential Exchange
The import/export feature, which Apple demonstrated at this week’s Worldwide Developers Conference, will be available in the next major releases of iOS, macOS, iPadOS, and visionOS. It aims to solve one of the biggest shortcomings of passkeys as they have existed to date. Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily enough with other Apple devices connected to the same iCloud account. Transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible.
[…]
The system provides a secure mechanism to move the data between apps. No insecure files are created on disk, eliminating the risk of credential leaks from exported files. It’s a modern, secure way to move credentials.
This is progress, but personally I still wish for a way to directly get at my data, so that I’m not at the mercy of the sending app being available and working properly, and the receiving app being approved, at some indeterminate time in the future.
And still I ultimately hope it fails and disappears.
The concept of so fully locking a user out of their login credential that they can never ever have any access to them. It is technologically impossible for them to login to any “unapproved” app, using any “unapproved” device. Is a goal I hope withers and dies bogged down in technical complexity.
The amount of lockdown involves is such that password managers suggesting they might give users the ability to freely import/export their credentials between password managers was met with threats of blacklisting those programs if they did so in a way that actually gave the end user their credentials.
Only “pre-approved” (by the platform vendor, not you) applications which could securely link to each other in a way to ensure you the user were never permitted access to your credentials in any way.
Previously:
- Forcing Passkeys
- Secrets 4.4 and Passkey Credential Exchange
- iOS and iCloud Keychain Are Hostile to Backups
- Passkey Usability
- Passkeys Credential Exchange
- Passkeys
3 Comments RSS · Twitter · Mastodon
I concur with Mr. Howells. After reivewing the concept many times, I still believe that there is no possible way for me to share my passkeys across all my computers (running macOS, Windows and Linux) and all my browsers (Safari, Firefox, Edge, Chromium).
With passwords, I can use Firefox's cloud service to sync all my Firefox browsers and a simple text file to keep a permanent record, should I forget any of the hundreds that I need to track.
But with passkeys, I'm completely SOL if Apple's server glitches, because I can't move the data anywhere else, and I can't manually re-enter anything if the master copy gets trashed.
Great concept, lousy implementation, and a business policy that guarantees it can't possibly get better.
Correct, because transferring passkeys wasn’t part of the Passkey standard until, I guess, now.
You can imagine the problem : how to share an encrypted thing without sharing the key and without it ever being in plaintext.
Realistically, passwords may eventually go away for super-high security and throwaway things as more places use passkeys… might they ever go away completely?
If you’re a bank, what do you do if/when a customer gets locked out of their password manager? Probably something similar to if you lose your credit card. Multi-factor but physical stuff like mailing address, fingerprints, etc. How does Apple do account recovery? Probably something like that.
Low security/risk places like forums will probably send a re-authentication email (which is not great) like many places do now.
It should be possible to generate multiple passkeys for a single website, so you don't even need to share the same passkey between different password managers.
