FIDO Alliance publishes new spec to let users move passkeys across providers

I had hope for passkeys, with all the interop-promises.

It turned out that no (mainstream) passkey provider allows backups however, making them infinitely worse than just using passwords.

Maybe this will help, but fuck me, it’s all complicated, especially for a damn foundational security mechanism!

It could be so simple, just look at SSH keys, which I think largely use the same principle.

You can create backup keys by creating more passkeys.

That's not a backup, that's just another secret. If I can't record the secret onto paper that I can put in a safe deposit box at a bank (or several), then it ain't backed up.

I understand the semantic difference but wouldn't you be able to say add a "backup" Yubikey and lock it in a safe?

No. How do you use it if it's in a safe? The only way this works is if you use the yubikey to log into google or some other auth provider and then use that auth provider for everything. But you are even worse off then as that auth provider now is a single point of failure... get that account revoked for any reason and you've lost access everywhere.

Why do that, though?

Figure out which doors you need to unlock and make sure you have at least two independent ways to get through each door. Some doors support Yubikey, so that counts as one, for those doors.