FIDO Alliance publishes new spec to let users move passkeys across providers

Original Article ↗ Hacker News Discussion ↗

Lock‑in, control & exportability

  • Many see the new FIDO credential exchange spec as overdue: export/import should have been simple (like CSV for passwords) and available from day one.
  • Strong concern that big platforms (Apple, Google, etc.) intentionally made passkeys non‑exportable to create ecosystem lock‑in; users often cannot move keys out of iCloud/Google.
  • Others argue the new spec is a net positive: it standardizes what were previously proprietary, opaque export/import mechanisms and should reduce lock‑in.
  • Power users want SSH‑style control: raw key files they can copy, back up to paper, or self‑host (KeePassXC, Bitwarden, Vaultwarden). The inability to access private keys directly is viewed as paternalistic.

Security properties & threat models

  • Pro‑passkey side:
    • Passkeys are per‑site keypairs; private keys stay client‑side and aren’t reused elsewhere.
    • They’re resistant to phishing because credentials are bound to domains; browsers won’t use a credential on the wrong site.
    • They reduce password reuse and database breach impact.
  • Critics reply that:
    • If keys can be migrated, they can be stolen; any export mechanism becomes a high‑value phishing/malware target.
    • Relying on cloud providers to sync “device‑bound” keys already weakens the hardware‑bound story.

Backups, recovery & multi‑device usage

  • Big practical worry: losing a phone or account with synced passkeys could mean losing access to hundreds of services.
  • Suggested mitigations: multiple passkeys per account, backup hardware keys, or using a password manager as passkey provider.
  • Many sites only allow a single passkey and UX for adding multiple keys is inconsistent.
  • Some argue that traditional account recovery (email, backup codes) remains unchanged; others note this re‑introduces phishable fallbacks and undermines “passwordless” claims.

Hardware tokens vs software passkeys

  • Hardware tokens (e.g., FIDO keys) are praised for non‑extractable secrets, but criticized as impractical: limited storage for resident keys, easy to lose, and often not supported with multiple registrations.
  • Some want non‑resident keys and CA‑like models to avoid hardware storage limits.

Standards, governance & usability

  • Several complain the spec is complex and driven by large vendors with misaligned incentives (attestation, potential blocking of “too open” providers).
  • Others emphasize that designing something secure and usable “for billions” is intrinsically hard; passkeys already greatly help average users who are routinely phished via SMS/OTP.
  • Broad agreement that tooling, browser support, and UX (especially for non‑technical users) are still immature and uneven.