In both cases, you can put secrets into the hardware but can't extract them back out. You can _use_ the secrets stored in the hardware via your fingerprint to facilitate logins but you can't extract/copy the digital data from one Yubikey to another Nitrokey. This restriction for USB vaults is deliberately designed for security but typically isn't disparaged as "vendor lock-in"
However, increasing website security via "trusted hardware" by making everybody spend an extra $50 for a USB vault is not ideal. Instead, a bunch of security experts noticed that billions of people are already carrying smartphones that have built-in biometric security such as face-id and fingerprint readers. Ok, let's just piggyback on existing smartphones and make them "act like the $50 Yubikey/Nitrokey" -- which means mobile passkeys managers like Google not allowing simple export/copying of passkeys.
Yeah but desktop managers like 1Password, Bitwarden, KeePassXC allow export of passkeys! True, but there's controversy and disagreement about that because they're not restricted like the Yubikey hardware is. Will some websites that are very strict reject some clients that allow passkeys export? It's a wait & see.
If the "ideal" passkeys ("ideal" from the RP Relying Parties point-of-view) are for them not to exportable/transferrable to another device, how do they expect people migrate from Apple to Android or whatever? By generating new passkeys for that new device and adding it the list of approved passkeys the website accepts. Instead of transferring the secrets, you re-generate new secrets.
No, TOTP and passkeys had different motivational concepts:
- TOTP Time-Based-Onetime-Password of a "rolling numeric code" is conceptually similar to "trusted hardware" such as RSA SecurID tokens: https://www.google.com/search?q=securid&tbm=isch
- passkeys are conceptually similar to "trusted hardware" such as biometric USB vault from Yubikey that cost $50: https://www.yubico.com/product/yubikey-5-series/yubikey-5-nf... ... or Nitrokey: https://shop.nitrokey.com/shop?&search=nitrokey%203
In both cases, you can put secrets into the hardware but can't extract them back out. You can _use_ the secrets stored in the hardware via your fingerprint to facilitate logins but you can't extract/copy the digital data from one Yubikey to another Nitrokey. This restriction for USB vaults is deliberately designed for security but typically isn't disparaged as "vendor lock-in"
However, increasing website security via "trusted hardware" by making everybody spend an extra $50 for a USB vault is not ideal. Instead, a bunch of security experts noticed that billions of people are already carrying smartphones that have built-in biometric security such as face-id and fingerprint readers. Ok, let's just piggyback on existing smartphones and make them "act like the $50 Yubikey/Nitrokey" -- which means mobile passkeys managers like Google not allowing simple export/copying of passkeys.
Yeah but desktop managers like 1Password, Bitwarden, KeePassXC allow export of passkeys! True, but there's controversy and disagreement about that because they're not restricted like the Yubikey hardware is. Will some websites that are very strict reject some clients that allow passkeys export? It's a wait & see.
If the "ideal" passkeys ("ideal" from the RP Relying Parties point-of-view) are for them not to exportable/transferrable to another device, how do they expect people migrate from Apple to Android or whatever? By generating new passkeys for that new device and adding it the list of approved passkeys the website accepts. Instead of transferring the secrets, you re-generate new secrets.