If someone steals my phone today, I can still access most of my accounts, and can regain access quickly to the others.
Now let’s assume passkeys are ubiquitous and used to log in to every website.
If they can’t be exported, then your entire digital existence is at the mercy of whatever device or technology platform you use to store your passkeys. If you lose access to the platform, you also permanently lose access to every single account you’ve ever signed up for. For me, that would include losing access to my retirement savings, tax records, and the ability to communicate with many of my friends, to give a few examples.
My computer also doesn’t have Bluetooth, which means I can no longer log in to any websites on it even when I do have access to my passkeys.
Shure not everybody does that and some sites don't really support that but thinking about this concept of having "physical key s" to your data makes a lot of sense to me.
Don't know how this change will affect my trust in the concept
So now I need to buy an extra phone from a different manufacturer than the one I already own, or sign up for another paid service? I’m starting to see what their motive might be now.
Is it even a requirement of the passkey standard to allow the user to create more than one passkey for your website?
1. You accept a non-trivial risk to be locked out forever of what you used those keys for 2. You still have a password login to revoke/create keys 3. You invest in enough redundacy to never lose all of your keys
IMHO only 2. is viable and then keys are just a different implementation of a password manager.
Of passkeys, I have quite a bit more, with new ones added at least every few weeks. That makes them much harder to physically or even logically replicate one by one.
> your entire digital existence is at the mercy of whatever device or technology platform you use to store your passkeys.
How often they change is irrelevant, the point is how you would recover them.
> Of passkeys, I have quite a bit more, with new ones added at least every few weeks. That makes them much harder to physically or even logically replicate one by one.
But what is your plan if you lose them? either you plan to never lose them (3.), you have a way to replace them (2.) or you accept the risk to get locked out (1.)
It’s just your login credential.
If you lose either a password or a passkey, you do the same thing: reset and set a new one via email recovery.
It’s just your login credential.
If you lose either a password or a passkey, you do the same thing: reset and set a new one via email recovery.
If that’s an option (and it often really is!), why go through all the trouble of implementing passkeys and not just implement “login via email”?
For some services, that’s not secure enough though.
How is it irrelevant if I can only use my recovery authenticator for the services I’ve enrolled it in, yet enrolling multiple physically separated authenticators is a huge pain practically?
It’s like changing the locks on various doors in my house every other week and trying to have a copy of all keys with friends or relatives living out of town.
Passkeys come with enough friction and hassle that I don't actually use them. The ability to move or back them up removes one of the friction points.
Resetting 2-factor authentication by proving access to only one factor (email) defeats the purpose of requiring 2 factors. If they can be reset via email, they might as well not exist at all. Even if we assume that nobody other than the user has legitimate access to the emails sent to the user (which is often untrue), emails can be trivially intercepted by a third party.
Not to mention that if I’ve lost access to the device where I am signed in to my email account, I won’t be able to access my email account to reset my passkeys anyway, because access to my email account would also require a passkey that I no longer have.
No actually! The biometric auth is more of a “liveness check” than anything else.
The point of passkeys is to replace the primary factor — the password — with a new primary factor that isn’t fundamentally “broken” in the ways passwords are. Password hashes can be stolen from servers, users frequently reuse them across different services, they are frequently very weak, and they are phishable. In contrast passkeys are guaranteed to be strong, unique, and there is nothing worth stealing from servers for attackers (only a public key).
Allowing both “something you are” and “something you have” to be reset simultaneously via proof only of “something you know” (the password to your email account) means that once that reset happens, you’ve gone from two or three factors to one factor.
Allowing passkeys to be reset by email is not compatible with using them as anything other than the primary factor. If you’re using them as both factors, you’d get equivalent security if you implemented sign-in via only magic links. If you’re using them as the second factor along with a password, but you allow them to be reset via email, you actually only have one factor.