Is there any chance that third party password managers like Bitwarden and 1Password will be able to implement add-ons and apps that replace this functionality, and that could open up migration paths? Or is the passkey future even worse than I feared?
Certainly - WebAuthn is an open standard, and passkey appears to just be "passwordless FIDO2" (all open standards) with shiny branding around it.
That means anyone can implement it, including a physical token (which can be entirely open source, like the solokeys dongle).
The real concern here is friction for the "average end user" - passkeys IMHO are a net-good thing, as long as we don't see this result in everyone regressing towards "single factor auth" in some way. As it stands though, WebAuthn/Passkey gives you a level of phishing resistance that ought to raise the bar on compromising accounts.
The part I do fear about third party password managers is that they'll potentially end up lowering the level of security that WebAuthn heralded, by normalising pure "software" authenticators - putting TOTP seeds into bitwarden alongside passwords feels like putting all your eggs in one basket, even if it's a reasonably good basket. A physical WebAuthn key gives you a level of hardware isolation (limited attack surface, time-bounded attack surface, physical contact required per-authentication) that will be lost if everyone moves to software-based tokens.
On the other hand, if people are replacing a globally re-used password with a "passkey", it's a lot better. If they are replacing a hardware token with a software token, that's a small step backwards. If most people are still manually using the same password everywhere, it's probably a net step forwards.
I believe 1password will implement passkeys at some point in the future. However that doesn't take away from the concern that passkeys are designed from the ground up to ensure vendor lock-in (there almost certainly won't be a way to migrate passkeys from Apple's or Google's keychains to 1password). With passwords there is a clear, if insecure, fallback -- simply copy the password over. With passkeys, you're subject to Big Tech's whims.
It is not possible to take anything Apple or Google do in this area to be in good faith.
> there almost certainly won't be a way to migrate passkeys from Apple's or Google's keychains to 1password
If that happens it will be 100% the fault of those specific passkey implementations. There's no reason why exporting a passkey database should be any more difficult than exporting a password database.
I agree - I think password managers will (soon enough) implement passkeys. As you say though, the current implementations deliver lock-in "by-design" (but with legitimate reason - you don't want to have an API that shares the AES-256 root key that decrypts passkey keyblobs!)
This could all be mitigated with a little bit of tooling (allowing an existing passkey to enrol a new passkey from another device), which would also help users of hardware tokens to potentially create a way to auto-enrol an off-site key.
I do believe WebAuthn is a good-faith attempt to get away from the pervasive problem of "use the same useless password everywhere", but it makes a range of compromises which (intentionally or otherwise) create a level of cryptographic vendor lock-in that I don't think many people have recognised yet.
I've flagged these concerns to several people involved in Webauthn, privately and publicly, and passkey portability is pretty clearly low-priority (i.e. never going to happen) for them.
The technology is safe enough to use, as long as you stick to hardware tokens - I have accumulated a few of them over the years (quite affordable), and you can get USB-A, USB-C and NFC versions.
You shouldn't get locked in with a USB hardware token - you can enrol it in Chrome on one computer, and then authenticate via Firefox in another computer.
The issue is really the software-based "passkey" implementation. As long as you're not solely reliant on one company for login (i.e. you enrol multiple keys, one of which is portable and interoperable, AKA a hardware token) you can safely add software-based ones for convenience without getting locked in - you can always use the hardware token to get back in and enrol a new device.
The problem is that a lot of people are going to unintentionally lock themselves in due to Apple's and Google's marketing. It's going to be a miserable few years.
This is a shame to see - it's understandable that there are some technical challenges in it, but it does seem possible (via a mutual auth handshake) to introduce portability. Kudos to you for arguing the case though!
Before "cloud keychain" (i.e. software-backed, like Apple's implementation), your only "safe" option was to have 2x hardware tokens, and try to keep one off-site, but still accessible enough you could enrol it on all the sites you use.
I fear with "cloud keychain" Webauthn, we are heading for a world where getting locked out of (or banned from) your "FAMNG" account will lock you out of everything else, to an extent we've not really seen before - no access to your synced keychain secret will prevent you from logging in to everything. Physical tokens remaining interoperable should give technical users an insurance policy against this, but without some kind of portability (i.e. pairing hardware webauthn keys), I fear it won't be practical enough to keep users safe, and independent of the keychain providers.
This has existed for years. I use 1Password for all my passwords and it shows up as an option when entering or creating a password in any browser on iOS. Furthermore, all browser can access the keychain if the user authorizes it.
Passkeys are a little different - at heart, you can export or write down (on paper, if it comes to it) your passwords, and then import them into another password manager if you choose to. If you want to move from the built-in keychain to 1Password, you can do an export/import operation, and have your passwords in 1Password.
You inherently can't copy-paste a passkey, since it's an asymmetric public/private keypair authentication. These keys are (usually) decrypted by a single symmetric key that you protect well. If you allow that key to be exported, you're back to "one password for every website"!
When this is done on a hardware-protected security engine (which doesn't permit any extraction of the key), it's arguably quite secure, but you don't then have any migration path.
Well, the point of such keys is that you can't extract the private part. I've never met a single service that supports Webauthn and doesn't allow you to have multiple tokens: every time I enroll into a new service, I do this: add physical key, add desktop (Windows Hello) if it's personal, add laptop (Touch ID) of it's work and maybe Face ID on iPad.
I have close to a thousand unique websites and passwords in my password manager. It is completely unreasonable for me to expect to re-enroll a thousand times.
