> It's a good thing that these are not possible. I want private keys to be non-exportable.
Cool, I guess, but they are never going to be a replacement for passwords as long as that's the case. Ordinary non-techie users are never going to be OK with that.
We couldn't get ordinary users to use real 2FA tokens. You think security people are going to convince them to build a backup system across multiple devices where they duplicate their keys? It's not going to happen.
> The only "transfer" process I want is one where I can use the passkey on one hardware device to authorize in real-time the login on a new device, so that I can then set up a separate passkey on that device. This is fundamentally an application concern and not part of the WebAuthn standard
This is absolutely something that concerns the WebAuthn standard, because a nontrivial number of providers don't support this.
I'm tired of the passkey advocates saying "backup works, you just have to authorize new devices" at the same time they're saying, "it's not our responsibility to ensure that it's possible to authorize new devices." Okay, it's not your responsibility, but then don't pretend that backup works even under the narrow criteria of cloning keys on multiple devices, because even that doesn't actually work.
Amazon above is spitting out an error code that claims it will only support adding one passkey per-provider. If so, that's the FIDO Alliance's problem to solve if the FIDO Alliance is interested in anyone actually using their spec, because my takeaway from Amazon's messaging is that cross-device registration isn't guaranteed to work.
Cool, I guess, but they are never going to be a replacement for passwords as long as that's the case. Ordinary non-techie users are never going to be OK with that.
We couldn't get ordinary users to use real 2FA tokens. You think security people are going to convince them to build a backup system across multiple devices where they duplicate their keys? It's not going to happen.
> The only "transfer" process I want is one where I can use the passkey on one hardware device to authorize in real-time the login on a new device, so that I can then set up a separate passkey on that device. This is fundamentally an application concern and not part of the WebAuthn standard
This is absolutely something that concerns the WebAuthn standard, because a nontrivial number of providers don't support this.
I'm tired of the passkey advocates saying "backup works, you just have to authorize new devices" at the same time they're saying, "it's not our responsibility to ensure that it's possible to authorize new devices." Okay, it's not your responsibility, but then don't pretend that backup works even under the narrow criteria of cloning keys on multiple devices, because even that doesn't actually work.
Amazon above is spitting out an error code that claims it will only support adding one passkey per-provider. If so, that's the FIDO Alliance's problem to solve if the FIDO Alliance is interested in anyone actually using their spec, because my takeaway from Amazon's messaging is that cross-device registration isn't guaranteed to work.