If someone steals my phone today, I can still access most of my accounts, and can regain access quickly to the others.
Now let’s assume passkeys are ubiquitous and used to log in to every website.
If they can’t be exported, then your entire digital existence is at the mercy of whatever device or technology platform you use to store your passkeys. If you lose access to the platform, you also permanently lose access to every single account you’ve ever signed up for. For me, that would include losing access to my retirement savings, tax records, and the ability to communicate with many of my friends, to give a few examples.
My computer also doesn’t have Bluetooth, which means I can no longer log in to any websites on it even when I do have access to my passkeys.
Shure not everybody does that and some sites don't really support that but thinking about this concept of having "physical key s" to your data makes a lot of sense to me.
Don't know how this change will affect my trust in the concept
1. You accept a non-trivial risk to be locked out forever of what you used those keys for 2. You still have a password login to revoke/create keys 3. You invest in enough redundacy to never lose all of your keys
IMHO only 2. is viable and then keys are just a different implementation of a password manager.
Of passkeys, I have quite a bit more, with new ones added at least every few weeks. That makes them much harder to physically or even logically replicate one by one.
How often they change is irrelevant, the point is how you would recover them.
> Of passkeys, I have quite a bit more, with new ones added at least every few weeks. That makes them much harder to physically or even logically replicate one by one.
But what is your plan if you lose them? either you plan to never lose them (3.), you have a way to replace them (2.) or you accept the risk to get locked out (1.)
It’s just your login credential.
If you lose either a password or a passkey, you do the same thing: reset and set a new one via email recovery.
If that’s an option (and it often really is!), why go through all the trouble of implementing passkeys and not just implement “login via email”?
For some services, that’s not secure enough though.
How is it irrelevant if I can only use my recovery authenticator for the services I’ve enrolled it in, yet enrolling multiple physically separated authenticators is a huge pain practically?
It’s like changing the locks on various doors in my house every other week and trying to have a copy of all keys with friends or relatives living out of town.