It is outside of passkey scope. Most services will use email to recover access.

nottorp · on Dec 17, 2024

> It is outside of passkey scope.

Yeah right, pass along responsability to someone else. And you wonder why people don't trust this "security" solution.

vbezhenar · on Dec 17, 2024

There's no reason not to trust it. It's strictly better than passwords in almost every regard. Of course if you manage your passwords well, you don't get more security with passkeys, because your account is already safe enough. But for someone, who used to write his universal "Johny1987" password on a sticker at his display, passkey provides security and usability benefits.

Passkey is just not supposed to solve all the problems in the world. It's supposed to replace login and password and that's about it. Authentication.

nottorp · on Dec 17, 2024

That would be fine if it didn't introduce device dependency and vendor lock in.

How do I get my keys out of Apple's wallet again? Or out of a Yubikey for that matter.

They are no longer under my control and I depend on Apple's or Yubikey's benevolence to access my services.

bigfatkitten · on Dec 17, 2024

> Or out of a Yubikey for that matter.

You don't, and neither does an adversary. That is literally the whole point of paying $50 for a Yubikey.

nottorp · on Dec 17, 2024

So I need to pay for the privilege of having a single point of failure for my credentials :)

Oh no I forgot, I could pay even more to have backups.

bigfatkitten · on Dec 18, 2024

It's an open specification. You can make your own if you like.

If the security properties of a hardware authenticator aren't important to you, you don't need to use one at all.

nottorp · on Dec 18, 2024

A phone is also a hardware authenticator in this case. With the same problems in case of theft/destruction.