I personally am fine with this.

    • NaN@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Apple actually describes the process for sync in some detail: https://support.apple.com/guide/security/secure-keychain-syncing-sec0a319b35f/web

      Apple also describes the keychain recovery process in depth (I think this is when you’ve lost all devices?): https://support.apple.com/guide/security/escrow-security-for-icloud-keychain-sec3e341e75d/1/web/1

      The Secure Enclave can apparently return the private key. For most keys it is encrypted with a key pair that is permanently stored in the Secure Enclave. For synchronized keys it is apparently encrypted with a key that is also stored in iCloud in such a way that Apple themselves cannot get to it.

      It does sound like they could potentially enable exporting the passkeys, I think it’s unlikely they would because they provide a method to move them to other devices already and it does introduce more avenues for misuse. I don’t think it’s a huge requirement anyway, most hardware tokens provide no way to export at all by design. Apps that use them for 2FA should provide for enrolling multiple tokens.