I do get that there are use cases for actual hardware bound keys for enterprise settings. But having non-exportable credentials (effectively non-ownable) is not acceptable in a consumer setting. This is a thinly veiled attempt at strengthening platform lock-in.
Look, the spec says you can't export the keys to a file! Too bad, go re-register your 120 websites if you want to stop using iCloud/Google!
Last I checked, they were working on interop so you can move your keys from one provider to another without creating CSV files or equivalent[1].
However from my PoV — if the user or an open source project wants to create CSV files, they should be free to do so. That’s part of putting the user in control.
For me, KeePass XC is the canary in the coal mine that helps me figure out what FIDO’s priorities are. I don’t have a problem with crypto around passkeys. They’re great. The non-functionals though (including shipping passkeys without good import/export) are a bit of a mess.
digiown|22 days ago
Look, the spec says you can't export the keys to a file! Too bad, go re-register your 120 websites if you want to stop using iCloud/Google!
Groxx|22 days ago
It's DRM, and it will go down exactly the same anti-user and anti-competitive route as every other DRM. Fight it with fervor.
signal11|21 days ago
However from my PoV — if the user or an open source project wants to create CSV files, they should be free to do so. That’s part of putting the user in control.
For me, KeePass XC is the canary in the coal mine that helps me figure out what FIDO’s priorities are. I don’t have a problem with crypto around passkeys. They’re great. The non-functionals though (including shipping passkeys without good import/export) are a bit of a mess.
[1] https://fidoalliance.org/fido-alliance-publishes-new-specifi...