> we never, under any circumstance, want to allow them to be persisted unencrypted. We don't want vendor lock in any more than you do, but getting everyone to agree on a common spec takes a while. We're trying the best we can to accelerate the process but please understand that defining secure specifications take time.
1Password's position is that it only wants to support export as part of shared standard, my understanding is that they aren't interested in exposing passkeys in a form where it they are unencrypted and the user can inspect them by hand.
1Password is pretty much the only voice I've heard talk about tangible plans for export (part of the reason I use the word "lobbying" to describe them is that they seem to be the member of the FIDO Alliance that I can find publicly advocating for a standard), but I suspect their position reflects the position of other FIDO Alliance members. Absent some evidence otherwise or some FIDO member giving some kind of information to the contrary, I'm assuming that we are not going to get export at all from any of the major providers until every provider agrees on a single standard, and short of individual providers like 1Password lobbying for that to be prioritized, I've seen no information about an official timeline or even any information about where in that process the FIDO Alliance is or whether other providers are interested in working towards that standard.
> But why can't bitwarden be its own provider? I don't understand the constraint there.
Bitwarden can be its own provider. If attestation doesn't go wrong (which is still a risk since lack of attestation for roaming keys is not standardized, we're relying on Apple's goodwill to block attestation on iOS), then Bitwarden will be usable with every service. However, my point is that having only one Open Source provider is not enough to make passkeys worth recommending to ordinary users.
Assuming everything goes well with Bitwarden their implementation might be enough for technical users like me who are familiar with the ecosystem and know how to avoid the many caveats, but ordinary users are going to be locked into proprietary platforms and ecosystems until the export/import situation is sorted for everyone. I can't recommend passkeys as a standard if there's only 1 provider that allows export/import and nobody else is required to work with them.
I don't want to have a conversation with my parents where they find out they can't move between ecosystems because they accidentally used their phone's built-in passkey provider. It's easier and safer to just tell them not to use passkeys.
----
As a side note it's worth mentioning that -- while I assume it will be possible -- I haven't actually seen any confirmation from Bitwarden that they are going to support export either. With an Open Source program it will be possible for someone to add support, but I can't actually say with complete certainty that you won't need to fork Bitwarden and program support yourself if you want to export passkeys. I can't with complete certainty say that someone using Bitwarden's official service instead of self-hosting will be able to export passkeys. I assume they will be able to, I assume there's a branch somewhere on a Github repo I could look at that would show that Bitwarden will allow some form of user-inspectable export.
But I haven't actually found that branch and I can't find any information about what exports will look like from Bitwarden or what format they're considering or if it's just going to be rolled into the existing data vault. If that information is online, it doesn't seem to be in an easily searchable place.
I assume export will be supported in Bitwarden and it'll just be another part of the vault. But it would be nice to get some info about it.
There's been a bit of conversation about this online. During the most recent AMA, 1Password's passkey team shared this: https://old.reddit.com/r/1Password/comments/16to6x7/hey_redd...
> we never, under any circumstance, want to allow them to be persisted unencrypted. We don't want vendor lock in any more than you do, but getting everyone to agree on a common spec takes a while. We're trying the best we can to accelerate the process but please understand that defining secure specifications take time.
1Password's position is that it only wants to support export as part of shared standard, my understanding is that they aren't interested in exposing passkeys in a form where it they are unencrypted and the user can inspect them by hand.
1Password is pretty much the only voice I've heard talk about tangible plans for export (part of the reason I use the word "lobbying" to describe them is that they seem to be the member of the FIDO Alliance that I can find publicly advocating for a standard), but I suspect their position reflects the position of other FIDO Alliance members. Absent some evidence otherwise or some FIDO member giving some kind of information to the contrary, I'm assuming that we are not going to get export at all from any of the major providers until every provider agrees on a single standard, and short of individual providers like 1Password lobbying for that to be prioritized, I've seen no information about an official timeline or even any information about where in that process the FIDO Alliance is or whether other providers are interested in working towards that standard.
> But why can't bitwarden be its own provider? I don't understand the constraint there.
Bitwarden can be its own provider. If attestation doesn't go wrong (which is still a risk since lack of attestation for roaming keys is not standardized, we're relying on Apple's goodwill to block attestation on iOS), then Bitwarden will be usable with every service. However, my point is that having only one Open Source provider is not enough to make passkeys worth recommending to ordinary users.
Assuming everything goes well with Bitwarden their implementation might be enough for technical users like me who are familiar with the ecosystem and know how to avoid the many caveats, but ordinary users are going to be locked into proprietary platforms and ecosystems until the export/import situation is sorted for everyone. I can't recommend passkeys as a standard if there's only 1 provider that allows export/import and nobody else is required to work with them.
I don't want to have a conversation with my parents where they find out they can't move between ecosystems because they accidentally used their phone's built-in passkey provider. It's easier and safer to just tell them not to use passkeys.
----
As a side note it's worth mentioning that -- while I assume it will be possible -- I haven't actually seen any confirmation from Bitwarden that they are going to support export either. With an Open Source program it will be possible for someone to add support, but I can't actually say with complete certainty that you won't need to fork Bitwarden and program support yourself if you want to export passkeys. I can't with complete certainty say that someone using Bitwarden's official service instead of self-hosting will be able to export passkeys. I assume they will be able to, I assume there's a branch somewhere on a Github repo I could look at that would show that Bitwarden will allow some form of user-inspectable export.
But I haven't actually found that branch and I can't find any information about what exports will look like from Bitwarden or what format they're considering or if it's just going to be rolled into the existing data vault. If that information is online, it doesn't seem to be in an easily searchable place.
I assume export will be supported in Bitwarden and it'll just be another part of the vault. But it would be nice to get some info about it.