[There's a spec for import and export](https://fidoalliance.org/specifications-credential-exchange-specifications/) and a [1Password blog post about it](https://blog.1password.com/fido-alliance-import-export-passkeys-draft-specs/)

If that solves vendor lock-in, then I'm just worried about possible attestation stuff

> Not being able to export your passkeys makes you dependent on the password manager. 

Is it not possible to migrate between tools? I don't mean that companies aren't implementing this. I mean is it not allowed by the spec.

But again. The people that need this are not you and I. Its people that WILL export their keys in plain text on their desktop...

kepford

Its hard for me to make a valid argument against them

Here's one: Not being able to export your passkeys makes you dependent on the password manager. If you want to switch, you now have to setup new passkeys for every website where you use them.

And if a password manager allows export (or other reasons in the future), it apparently might be possible to mark them as "insecure" and ban their passkeys if attestation will be mandatory, see this 

The unfortunate piece is that your product choices can have both positive and negative impacts on the ecosystem as a whole. I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers, the need for functional and security certification, and the lack of identifying passkey provider attestation (

which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations)

 become possible makes me want to stick to password+TOTPs.

security

Passkeys are just passwords that require a password manager - Dan Fabulich

Scoresby

> Its hard for me to make a valid argument against them

Here's one: Not being able to export your passkeys makes you dependent on the password manager. If you want to switch, you now have to setup new passkeys for every website where you use them.

And if a password manager allows export (or other reasons in the future), it apparently might be possible to mark them as "insecure" and ban their passkeys if attestation will be mandatory, see this [Github comment](https://github.com/keepassxreboot/keepassxc/issues/10407#issuecomment-1994673954):

> [...]
>
> The unfortunate piece is that your product choices can have both positive and negative impacts on the ecosystem as a whole. I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers, the need for functional and security certification, and the lack of identifying passkey provider attestation (**which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations)**.
>
> [...]

and [this one](https://github.com/keepassxreboot/keepassxc/issues/10407#issuecomment-2000363268).

Just that this _might_ become possible makes me want to stick to password+TOTPs.