I personally am fine with this.

  • NaN@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    If your account is frozen they should still be on the device. That would be a good time to change all your passkeys over to a yubikey, or to add one as a secondary token.

    The keys being locked in a Secure Enclave is generally considered a feature, not a bug. That passkeys sync at all is somewhat concerning. I wouldn’t expect them to be exportable any time soon.

    • argv_minus_one@beehaw.org
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      The use of a “secure enclave” for any purpose is a bug at best, because secure enclaves aren’t just secure against your adversaries; they’re also secure against you. This is intolerable. All machines must obey their owner, and “secure enclaves” by design don’t.

      • NaN@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Hard disagree. That rules out yubikey, smart cards, and most any other credential storage systems.

      • NaN@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Apple actually describes the process for sync in some detail: https://support.apple.com/guide/security/secure-keychain-syncing-sec0a319b35f/web

        Apple also describes the keychain recovery process in depth (I think this is when you’ve lost all devices?): https://support.apple.com/guide/security/escrow-security-for-icloud-keychain-sec3e341e75d/1/web/1

        The Secure Enclave can apparently return the private key. For most keys it is encrypted with a key pair that is permanently stored in the Secure Enclave. For synchronized keys it is apparently encrypted with a key that is also stored in iCloud in such a way that Apple themselves cannot get to it.

        It does sound like they could potentially enable exporting the passkeys, I think it’s unlikely they would because they provide a method to move them to other devices already and it does introduce more avenues for misuse. I don’t think it’s a huge requirement anyway, most hardware tokens provide no way to export at all by design. Apps that use them for 2FA should provide for enrolling multiple tokens.