> The WebAuthn _also_ allows device-bound keys, but they are not "passkeys".
True. WebAuth is good fit for a login that's tied to a user - and that user only logs into it from their workstation and maybe a laptop. There are better options when more flexibility is needed.
Happily, there are enough secure options that my phones will always be authenticator-free.
> The whole _point_ of Passkeys is that they are representable as clear-text data, and so they can be synced.
That seems to be counter to everything else I've heard about it so far. If that was the case, exporting would be easy, yet many password managers have had open feature requests for some time (1y+?).
I don't know what the truth is, but if you're right, there's definitely a lot of misinformation about it. Far more than correct info IME.
Migration protocols require the keys to be representable (at some point) as clear text.
And password managers like BitWarden only allow encrypted export, but the encryption key is specified by the user. So you can trivially decrypt the exported data if you want.
I don't have a dog in this race. Just showing where the other understandings come from. Your logic might lead one to conclude that migration would not then generally be available.
