Interesting article. I have a question about using my phone as a security key. So, when I register at a Webauthn site, my phone gets a 'credential-id' and a public-key. Cool.

I use Android, so apparently, this state gets saved in the "Play services state"

So, how can I backup this state, so I can again log into the same accounts I created/registered?

It seems like I might be able to backup that state (pubkeys+ids) to a USB key, but I have no idea what the procedure is, and how to trigger it.

How does one backup/save all their pubkeys+cred-ids that get saved in "play services state", so if Google blocks me, etc, I can still login using those pubkeys and ids?

> so if Google blocks me

If Google blocks you, then you must be guilty of some terrible crime, and should be prevented from interacting with society to the greatest extent possible. Do we really want people being in control of their own identities without big trustworthy American corporations checking up on them all the time?

They might unblock you after you send your id, your medical records, (they already have your tax fillings) and a letter of appology to an ML program.

With Fido keys you are really supposed to be registering another key and using it to login and replace this key if it is lost or damaged. So they are probably going out of their way to block backups.

AFAIK, (though I haven't looked at newer protocol versions) if you somehow had an original backup of the token state, it would be all that you need for normal auth aside from setting a high enough counter value since the RP (website) should be providing the opaque key from the registration.

In situations where there are resident keys it would do no good to save them if the token context itself can not be backed up and is lost. I'm not sure that really matters though since this project seems to only work between browsers so I don't see how you could use this kind of virtual key with ssh, OS services, etc, that might not store the opaque key normally.