I personally am fine with this.

    • Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      If your account is frozen they should still be on the device. That would be a good time to change all your passkeys over to a yubikey, or to add one as a secondary token.

      The keys being locked in a Secure Enclave is generally considered a feature, not a bug. That passkeys sync at all is somewhat concerning. I wouldn’t expect them to be exportable any time soon.

        • Bitrot@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Apple actually describes the process for sync in some detail: https://support.apple.com/guide/security/secure-keychain-syncing-sec0a319b35f/web

          Apple also describes the keychain recovery process in depth (I think this is when you’ve lost all devices?): https://support.apple.com/guide/security/escrow-security-for-icloud-keychain-sec3e341e75d/1/web/1

          The Secure Enclave can apparently return the private key. For most keys it is encrypted with a key pair that is permanently stored in the Secure Enclave. For synchronized keys it is apparently encrypted with a key that is also stored in iCloud in such a way that Apple themselves cannot get to it.

          It does sound like they could potentially enable exporting the passkeys, I think it’s unlikely they would because they provide a method to move them to other devices already and it does introduce more avenues for misuse. I don’t think it’s a huge requirement anyway, most hardware tokens provide no way to export at all by design. Apps that use them for 2FA should provide for enrolling multiple tokens.