Titan_M2
Pretty much, pass(word|keys) are stored and synced via iCloud keychain encrypted with the iPhone passcode with hardware security modules on Apple backend to stop bruteforce.
My comment was related to the iCloud Keychain only able to be used on Apple devices. I would not call my iOS - > GrapheneOS experience a 'seamless transition'. The answer is written as if it only expects you to upgrade your phone to a different phone from the same vendor, when it is also possible you will be upgrading to a different phone from a different vendor. Later on, this is confirmed, but as you explain, it isn't as big an issue because multiple passkeys can be added for one account. You do still have to re-create all the passkeys, so it's still a pain.
Also, they're still proprietary implementations. I still prefer the password manager implementation the most.
Remote attestation is an optional feature websites can request for higher security, biometric is just the way the local password manager lets you access passkeys. You can use whatever you want, face fingerprint, passcode, smile on camera, or none.
Thanks for clearing that up. The way it is written is ambiguous.
Passkeys are not created for techie people that intentionally buy multiple security keys, remember which is tied to which account, have with them when they need to login, never break or lose one. Passkeys are for the general public using insecure password with weak or nonexistent 2FA on their account.
I acknowledge the adoption issue in my other comment. I do have multiple security keys; one as a backup. I use the same keys for every account. I have never had any trouble with them. I even took them overseas without fuss. I don't think the general public would struggle to use security keys; I think the general public will never be convinced to buy them. I'm not saying they are made for everyone to use, but I want to acknowledge the technological superiority of hardware security keys. Namely; none of them are tied to a particular ecosystem and can be used on any device. I'll touch on the convenience factor later on.
I recently saw a news report in my country that covered a company trying to sell pagers to banks and attempting to convince their customers to carry around pagers using a proprietary authentication method that cost twice as much as security keys. The horrible humor in this is they will probably succeed, despite the fact that I know my bank uses Yubikeys for their computers. In fact, I know of a country that has implemented something similar, except for everything - visit the MitID thread: https://discuss.grapheneos.org/d/1520-status-of-mitid-app
I don’t think there is a way to export Apple -> Google or viceversa, but you can have multiple passkeys for one account, so you could save one for each plarform
This solves one of two problems, which is the ecosystem lock-in problem, and by far the bigger issue. It does not solve the issue of accessing/backing up the decrypted secret key. I see the FIDO Alliance intends to get around this by entrusting the cloud service with a copy of your encrypted credential, which is fiiine...but I would really like them to be able to be backed up by the user.
The user should always be in control. I realize anyone who knows anything about security will be the first to point out that the user is the most common cause of compromising their own security, but I don't accept that as a reason to take control away from the user, permanently. It's too easy an excuse for other bad behavior by vendors.
Well, if don’t have the phone but can still login, then you can proooobably remember the password, but you really should use random, strong, unique passwords stored in a password manager, for which you need a device for anyway.
And now I want to touch on the convenience factor of hardware keys. You can carry your hardware key around anywhere! Even, say...your friend's place. You could leave your phone at home, but as long as you bring that key and plug it into their USB-A slot, you can login to your account without your phone without a password. You don't have to worry about charging your hardware security key, either. I'm not planning on giving them up any time soon for passkeys. I will probably be forced to give them up anyway despite their superiority due to lack of adoption.
I'm not saying that hardware security keys are something the general public will be able to handle not losing or is willing to buy. I will say that I've lost my phone twice in the past two years (for a short period of time), but in the five years I've owned my security keys, I haven't lost any of them. I'm not using this anecdote to prove anything except my life priorities, but nonetheless, sticking your keys on a lanyard around your neck will make them quite hard to lose. I've also never broken a security key, but on this subject, I will have to quietly agree with you that the general public cannot be trusted to take care of security keys.
Thanks for your clarifications! I, for one, have found this thread very fruitful. I've changed my opinions at least twice, and I understand more about passkeys than I ever would have searching on my own.