1Password enabled PassKey support recently and I was "surprised" to learn that there is no way of exporting them out of 1Password. They're not included in the 1PUX format export, nor in the CSV.
That means that they're literally impossible to back up. If 1Password goes down, or the company stops operating, or anything else like that, your Passkeys are just... gone. Absolutely no way to recover them.
Currently, none of the big players in the passkey space support exporting or importing of passkeys, because the spec for doing this securely has not been agreed upon, and nobody wants to allow plaintext export of passkeys.
Re. your point about 1Password going down: Your passwords and passkeys are all stored locally when they sync to your devices. If 1Password becomes unreachable for any reason, you still have access to everything in your vaults, you just can't sync between devices any more.
I guess "100% secure against phising" is incompatible with "the user can in any way access the key" because if you knew the key, in theory some super-convincing phishing site could get you to spill it.
I still think the real reason is lock-in, but I could imagine this is their official justification.
Given all of the horror stories (some real, some hypothetical) told in this thread, it seems that one of the major side effects of passkeys — if not the primary purpose — is to keep you locked into whatever you used to create your passkey. Plaintext export would ameliorate that.
Passkeys are supposed to eliminate the need for companies to store a password so we no longer have to deal with the fallout of 40 breaches a year. In order to export passkeys it has to be in plaintext at some point, even if encrypted once again into the export file. Point is, one of the huge selling points of pushing people to use passkeys is the portability and lack of vendor lock in yet here we are with choices that are all currently vendor lock in.
Can you, though? passkeys.io does not showcase this. The default assumption from every vendor is that you'll use their passkeys and they don't care about anything else. It's a very explicit silence, no "official" resource from any major vendor addresses cross-platform portability.
Yes, some individual implementers recognize the issue and have "log in with another device" (which is the best option you can have, although still quite clunky), so you can solve the chicken-and-egg problem of logging in on another platform's device to add your another platform's passkeys. But to best of my awareness, this is not a part of any standard or recommendation (it should've been).
And other implementers do the contrary and artificially limit your options so you can't add a portable authenticator with them without some hacking around.
What are the vendor options though?
(I think) its Google, Apple, Microsoft, Yubico and 1password?
None of which support exporting the keys as per other comments in this thread.
Isn't that the point of Passkeys? The user isn't allowed to interface with them directly, so social engineering can't compromise them [1]. Rather than move your passkey between devices, you're meant to generate a different passkey for each device, then register all of them with the relevant service, like SSH keys.
1: of course, a user could still be tricked into adding an attacker's passkey to their account or something
The major problem with passkeys is that first they were poorly designed so there's no portability or ability to enroll an offline (or worse, physically unavailable, like stored in a safe) authenticator, then there's this kludge to work around the limitation.
It was obvious from day 0 (to anyone except for Apple and Microsoft) that people do have multiple devices and not all of them are from a single vendor. My only explanation is that they deliberately decided to ignore this aspect, because it wasn't in corporate interests.
They made it significantly easier to lose all the passkeys, because they made it very hard to add multiple passkeys (you literally have to walk/run/drive/fly and grab every different device you have, get it online and register - or get properly locked in with a single vendor and pray they work for you, forever).
Carrying a Yubikey does not work (you can lose it). iCloud/Windows Hello does not work (you can be on a non-Apple/Microsoft device). 1Password is better but still does not really work (you can lose access to your account). They're all SPOFs, and avoiding SPOF was deliberately made hard (you can't easily enroll a "backup" Yubikey that you don't have at hand, and if you have it at hand it's not a backup anymore).
Heck, "official" demo at passkeys.io doesn't even bother to showcase how multiple passkeys are going to be a thing at all, which is an obvious red flag.
That is, not to mention that a growing number of vendors contributed to the crappiness by limiting what kind of authenticators and which platforms one can use (BestBuy, PayPal and so on), contributing to decreased security and increased headaches.
The "forgot password" flow involves accessing your email. And accessing your email without having access to your passkey requires a device that has previously logged in to your email. And the device that has previously logged in to your email is the same device where your passkeys are stored, which is to say, the same device that is now lost or bricked, which is the reason your passkeys are lost in the first place.
And sure, you and I have multiple devices. We're in the minority. Most people just have the one. Without another way in, they're irrevocably fucked.
Do any of the third-party, self-hosted password managers provide a compatible passkey implementation that can actually be exported and backed up in a secure manner?
1Password's Passkey support feels very aggressively growth-hacky to me. They intercept calls to `window.credentials` and if you want to use 1Password along side other verifiers like Yubikey, you need to go into your settings and disable their passkeys offering entirely. It's similar to how they also intercept (and globally disable!) Google One Tap prompts in order to show their own OAuth prompt. I only use their Chrome extension so I'm not sure if the native app experience is significantly different.
I'm kind of mad at 1Password - but this isn't correct. When the 1Password prompt some up, you can click the little "USB key" icon which ostensibly is for hardware keys, but all it does is pass control back to the OS, at which point your iCloud prompt, or whatever provider you are using, can be used.
Is version 8 reasonably mac-like? On 7 it's still a mac application that acts like a true mac application (drag/drop works properly everywhere, expansion, properly keyboard-enabled, etc) which is well nigh impossible when running inside a chrome box.
Agile Bits support kept insisting it was the same as the old native app and people kept complaining about bugs until I stopped following it.
It's as Mac-like as any other Electron app. Which is to say, it does a pretty good impression of a Mac app, but the bundle is 345M, with another 244M hiding in your Library directory.
It’s so rare that I use anything other than the 1Password Chrome extension that I couldn’t really tell you! The main app seems.. fine? But like I say, I hardly use it, so I probably wouldn’t notice details like you mention.
Do you have a different workflow where you use the main app a lot?
I keep a lot (including images) in the main app as an ecrypted shared resource for IDs and various other secure info. If I suddenly need my insurance card I can quickly grab it out of the app rather than rummage through the (unencrypted) icloud or dropbox filesystem on ios. And I can cut/past text out of the images. I also use it for logging into apps, dragging credentials into remote machines over ssh etc.
With 1password 7 whe safari plug in is more conveniently integrated than the chrome one which is pretty clunkly by comparison, though this is true of other chrome plug ins too. But that's not a big deal as I rarely use chrome anyway, just for google docs which don't need 1password.
This is a quibble, but if 1password goes down, your vaults still exist on all your devices and the app will keep working, it's only the syncing of modifications between devices that won't work.
That means that they're literally impossible to back up. If 1Password goes down, or the company stops operating, or anything else like that, your Passkeys are just... gone. Absolutely no way to recover them.