I'm really wondering if syncable passkeys will turn out to be a mistake in the end.
For now it's a big improvement for almost everybody for now. But I'm wondering it's a question of time until the attackers catch up and figure out how to extract them, and then we're back where we started?
I love passkeys, but I'm really vary of storing all my eggs in one basket but everyone and their cousin is adding syncable passkey support to the password manager which makes the UX of keeping things separate really annoying.
And since the introduction of native webauthn support and then passkeys I have lost the ability to use the SEP as a non-syncable storage https://github.com/github/SoftU2F
I really liked how the keymaterial was locked into the SEP and "impossible" to export. But it was accessible with a simple TouchID.
While Apple does a lot of fancy stuff with SKP, it feels like that's so complex it can't be as secure.
Maybe something for @durumcrustulum and #scwpod ? The question being, does apple have some fancy crypto setup which makes extracting the passkeys uneconomical. How about the fact that I can unlock it with my N-pin passcode. Can I extract the keymaterial with that or only interact with it and get it to sign things for me?
Either way, I guess I won't be able to get rid of my Yubikey for a while still.