{"id":48167,"date":"2025-06-20T16:40:15","date_gmt":"2025-06-20T20:40:15","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=48167"},"modified":"2025-07-15T15:06:23","modified_gmt":"2025-07-15T19:06:23","slug":"apple-previews-passkeys-credential-exchange","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/06\/20\/apple-previews-passkeys-credential-exchange\/","title":{"rendered":"Apple Previews Passkeys Credential Exchange"},"content":{"rendered":"

Dan Goodin<\/a> (Slashdot<\/a>):<\/p>\n

\n

The import\/export feature, which Apple demonstrated<\/a> at this week’s Worldwide Developers Conference, will be available in the next major releases of iOS, macOS, iPadOS, and visionOS. It aims to solve one of the biggest shortcomings of passkeys as they have existed to date. Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily enough with other Apple devices connected to the same iCloud account. Transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible.<\/p>\n

[…]<\/p>\n

\n

The system provides a secure mechanism to move the data between apps. No insecure files are created on disk, eliminating the risk of credential leaks from exported files. It’s a modern, secure way to move credentials.<\/p>\n<\/blockquote>\n<\/blockquote>\n\n

This is progress, but personally I still wish for a way to directly get at my data, so that I’m not at the mercy of the sending app being available and working properly, and the receiving app being approved, at some indeterminate time in the future.<\/p>\n\n

Kyle Howells<\/a>:<\/p>\n

And still I ultimately hope it fails and disappears.<\/p>

The concept of so fully locking a user out of their login credential that they can never ever have any access to them. It is technologically impossible for them to login to any “unapproved” app, using any “unapproved” device. Is a goal I hope withers and dies bogged down in technical complexity.<\/p>

The amount of lockdown involves is such that password managers suggesting they might give users the ability to freely import\/export their credentials between password managers was met with threats of blacklisting those programs if they did so in a way that actually gave the end user their credentials.<\/p>

Only “pre-approved” (by the platform vendor, not you) applications which could securely link to each other in a way to ensure you the user were never permitted access to your credentials in any way.<\/p><\/blockquote>\n\n

Previously:<\/p>\n