I guess it's tricky because at work, a central secret store with permissions and some kind of audit trail is a good idea. At home some cloud backup / syncing should be done, but I don't think that replaces local backups and everything.
What's the issue here, people can't export backups of the passkeys?
> What's the issue here, people can't export backups of the passkeys?
Quite the opposite. You can, and are always advised to, have a second key as backup that you can keep in a secure location. So in the same way as you don't lose your home if you lose your home's keys, you don't lose your digital access if you have a backup passkey. There is a slight difference between the two scenarios as in the case of your home, you wouldn't lose it regardless of whether you have a backup key or not. But since you can easily have a backup passkey the difference is very small.
The difference is that normal people don't have 50-200 houses and don't have to toy with the main/backup keys for every single one of those + each time they add a new "house", which may be often.
I think the issue here is we don't understand how to.
I can, and do, backup and safeguard my KeePass database in ways many and various. I have a fairly robust system to backup "traditional stuff" - including sync to my local NAS, a monthly off-site exchange of external drives with my best friend, and a cloud sync.
I have NO clue how to backup my whatever this is keystore or database or whatever, in a way that I'll feel confident I can seamlessly resume my life. It all seems to be embedded in some cloudy or device-internal ethereal opaque invisible places that make my life super easy when they work and when I do predictable things, and make my life devastating when they don't work or I do unpredictable things. I'm literally and genuinely and actually scared of these changes - not for when they work well, which is apparently magical; but when they don't work well or I fall through system cracks through some unknown change or issue.
Passkey objects on macOS are encrypted at rest within the iCloud Keychain sqlite database in Library/Keychains/*/. It shouldn't be too hard to adapt the keychain extraction tools that exist.
I don't know why you would want to though. Since (1) passkeys will rarely be a required nonreissuable credential, and (2) losing access to iCloud Keychain is extremely improbable. For many users, showing ID to a phone store clerk is sufficient for iCloud recovery. For others, it's using their laptop, a recovery key, or a recovery contact.
> Passkey objects on macOS are encrypted at rest within the iCloud Keychain sqlite database in Library/Keychains/*/. It shouldn't be too hard to adapt the keychain extraction tools that exist.
Really? That sounds awful. So now everything is passwordless and tied to a single database that can be stolen?
I thought the whole point of passkey was to tie the login to a TPM, Secure Enclave, HSM, etc. managed key because that means the private key is in hardened, tamper proof storage that simply signs challenges.
Sorry, that's only speculation, since I haven't had more time to analyze the database. If you read Apple's passkey security document, it claims that passkeys are distributed identically across devices. And that you can recover the passkeys even in the event that all associated devices are lost. It's also possible to share passkeys at any time.
passkeys.com:
> When a user sets up a passkey, a key is generated and synchronized to the cloud. When the user connects from another device in the same ecosystem, it will use the same key.
WebAuthn supports verified attestations for hardware-backed authenticators. Passkeys seem to be designed for normal consumers, who worry about losing authenticator devices.
> showing ID to a phone store clerk is sufficient for iCloud recovery
Can you walk me through how that works? I don't know how Verizon, for instance, could get me that access. Or did you mean at an Apple store or something?
Basically: For some subset of iCloud Keychain users, SMS is used in combination with the lost device's passcode (or a user-chosen password) to recover the keychain. Since the device is lost, you re-issue the phone number with a carrier. I think 2FA or ADP may require another device or a recovery key, but my memory is hazy on this.
What's the issue here, people can't export backups of the passkeys?