With the (hopefully) imminent Bitwarden release supporting passkeys, a question has popped up in my mind with regards to exportability.
Basically, at the moment, if ever I wanted to, I could export my Bitwarden vault and import my passwords into another password manager.
My question is, can passkeys be exported and imported the same way as passwords or would it be necessary to set up new passkeys if ever one moves to a new password manager?
Very interesting question whose answer also interests me.
Theoretically, since passkey is based on PKI, and claimed to be portable, your passkeys should be exportable.
They probably look kinda similar to ssl and ssh keys. They would probably be blocks of base64 encoded text and be one of the exported fields, similar to notes.
There was recently a Q&A at the 1password subreddit where the developers said that the ability to export passkeys is being worked on right now, but at the moment it’s not possible (for passkeys in general, not just in 1password).
What I find interesting (and disappointing) is that they said that passkeys will never be exported unencrypted because that goes against FIDO’s security requirements. This means that you will always depend on an app to have access to your passkeys. What I found really strange is that they claimed on more than one occasion that being able to export passkeys unencrypted will make them “no better than passwords”. That doesn’t make sense to me.
Here are all the related replies I was able to find:
1pass’ overall views at various aspects of security are rather peculiar. For example, for the longest time they kept saying that 2FA is placebo and their current system of username/password/secret key was superior. Or if you want to have an emergency account recovery, just print out your login credentials and keep them in a bank’s safe deposit box for relatives to have access to in case you are unable to.
I am glad they are considering the issue. Passkey logins currently bypass all 2FAs, making me very nervous/suspicious about usage on certain platforms (like Android).
If the key material is directly accessible by the user in some forms, then it can be phished. I think that is the key point the guy is making, although equating it to a password phishing is probably too much, at least for the techies who understand the technology, but it maybe true for the general population.
The hackers may breach the passkey service providers, but the hackers shouldn’t be able to retrieve such secrets from the users or the relying parties. That’s the technical features of Passkey as currently known.
The guy is talking about passing secrets from one provider to another provider / other providers without the user being able to access the secrets, but the user not totally being out of the loop. Doesn’t sound easy to settle with the on-line/off-line/platform password providers.
Thanks for your informative reply. It’s good to know that the providers are trying to work on a solution, not only for portability of passkeys but also a more standardised way of exporting/importing passwords. Although it didn’t sound like a solution is imminent, I hope it’s not too far away. I feel the lack of portability may be a disincentive for some users to adopt passkeys.
It would be great if we got a response from someone on the Bitwarden team to see what their position is on this issue.
@bitmap Thanks for asking. The goal is passkey portability. As referenced earlier, there is active work going on with the FIDO Alliance to develop standards for these workflows. Bitwarden is actively participating in this process.
There is a Bitwarden and Passkeys event on Nov 9 you might want to join. Bitwarden Events | Bitwarden
Thanks @go12, great to know that the Bitwarden team is actively participating in the FIDO Alliance efforts to standardise these workflows. The forthcoming Passkeys event should be very interesting!
I think I’m in agreement with 1password here.
Once the private key of the passkey gets exposed then it can be used without biometrics or PIN so it’s security wil be weakened. It simply becomes a password, albeit a long one.
I realise a server side hack will not expose the passkey but will such a passkeys remain secure enough to bypass 2FA?
I trust a passkey on my Yubikey because it can’t be exported and can only be used with a PIN.
I trust (kind of) a passkey on my iPhone because it requires biometrics.
Not long to wait now to see how BW solve this problem.
The thing is that to say that it simply becomes a password, its security would have to have been reduced enough to be comparable to a password. Passkeys exported as plaintext will still protect you from server-side breaches and phishing attacks (since you don’t type in your passkey to any website), which are the two ways the vast majority of password theft is happening.
Also, let’s not forget that there are ways to never save the export on disk unencrypted and still be able to have total access to your private keys. I’m talking about encryption software like VeraCrypt where the data are never saved on disk unencrypted.
I’m fine with a warning that advises against exporting them in plaintext like the one Bitwarden has right now, but I strongly believe that the end user, as the owner of their credentials, should have the final decision about the way they manage them.
Three factors of authentication are something you know, something you have, something you are.
Saying an exported plaintext passkey becomes comparable to a password is because it’s only something you know. I think the other 2 factors are lost.
A passkey is never something you know, you probably meant “something you have”, but your point still stands, of course. I’d argue that passkeys are not 2FA anyway, because the “something you are” factor is only required locally, but that’s a different discussion.
But again, to say that exporting it in plaintext reduces your security is fine with me. To say that it becomes just another password doesn’t make sense to me, because it is still secure against the most common ways a password can be exposed. Passwords are almost never exposed because someone gained access to your local device.
I have the same concern.
I want to migrate all 2FA solutions I use at websites as much as I can to Passkeys due to comfort.
On the otherhand, I am worried that I could get locked out from the sites (think of Binance) in case I cannot use my Passkey anymore.
I don’t intend to export the Passkeys to any other solution, but I’d like to make it certain that if I at least import it back to Bitwarden, that would work. (Especially, when it is self-hosted.)
Passkeys stored in Bitwarden are included in .JSON-formatted vault exports. I have not tested it personally, but I have seen several user reports confirming that it is possible to import these exports into a new Bitwarden account (provided it’s an unencrypted .JSON or a password-protected .JSON, not the conventional encrypted .JSON, which is account-restricted), and then continue to use the the imported passkeys for authentication.