I'm saying that the world which passkey advocates want is a world where if, for any reason, you can't log in with your passkey (due to a lost/broken device, a software bug, whatever), you'll be locked out of your account. I'm saying that to contrast with my parent comment, which claims that the world passkey advocates want is one in which passkeys offer some slight convenience advantages but no security advantages because they'll be an alternative to passwords. Obviously they don't want the software bugs, but we know bugs happen.
> I'm saying that the world which passkey advocates want is a world where if, for any reason, you can't log in with your passkey (due to a lost/broken device, a software bug, whatever), you'll be locked out of your account.
And a world where people only use passwords has the same problem if you can't log in with your password.
Moving from one single point of failure to another isn't great, but it's not a downgrade.
(And just like it's possible to back up a password, it's possible to back up a passkey. And I know passwords can be memorized, but in practice it's bad passwords that get memorized.)
I use Bitwarden for critical passkeys. Most people do not. Passkeys, as currently implemented, for the vast majority of people, do not allow for effective back-ups in ways the user controls. You can't back up the keys from your iCloud and then use them on your friend's Windows PC to access something when you lost your iPhone. You can do that with passwords.
> You can't back up the keys from your iCloud and then use them on your friend's Windows PC to access something when you lost your iPhone.
Just enroll a second device like a hardware token. Then plug your hardware token into your friend's computer and you can log in to sites on your friend's PC without having to copy over and unlock your entire password safe.
I am. I'm not convinced that this will allow me to back up passkeys in any way. I wouldn't be surprised if Apple were to allow you to transfer passkeys out in such a way that they don't work on the original device anymore, which would make this standard irrelevant for what we're talking about.
No group is unanimous and completely homogeneous. But judging by how often the security benefits gets brought up by those in favor of passkeys in these kinds of discussions (including this thread), my impression is that most of its advocates view it as a security benefit. Which means they need to replace passwords, not be an optional extra.
For important sites like your email you'll add multiple passkeys. On less important ones you can just reset which passkey you use to login, using your email, if you lose one of your passkeys.
> I'm saying that the world which passkey advocates want is a world where if, for any reason, you can't log in with your passkey (due to a lost/broken device, a software bug, whatever), you'll be locked out of your account.
Can you point me to a citation or two where passkeys advocates claim that passwords must go away and/or account recovery mechanisms must be abolished?
Elsewhere in this thread [0], passkey advocates go on for quite a bit about how vulnerable passwords are to phishing. Really, any account recovery mechanism not linked to hardware would seem to be vulnerable to phishing in the way they don't want it to be.
Passkeys provide better security regardless of whether passwords continue to be supported. Two reasons off the top of my head:
• Passkeys stop phishing. Using your passkey instead of a password (when both are available) ensures you're actually signing in to the site/service you expect.
• Passkeys have zero value when leaked. Users' private keys remains secret and safe even when public keys are stolen and distributed.
That said, passwords aren't going extinct anytime soon. It will likely become more popular to require 2FA for password users in the meantime, as it should.
Passkeys don't stop phishing. If the user has both a password and a passkey to a service, a phishing site needs to just ask for a password and not mention passkeys and people will just enter their password.
>It will likely become more popular to require 2FA for password users in the meantime, as it should.
A lot of folks/services/engineers mistakenly think that layering 2FA on top of passwords will help defend against phishing attacks.
But attackers have been phishing 2FA codes since at least 2012 and it's gone from an advanced attack to bog-standard. The only way to defend against phishing attacks in 2024 is to use phishing-resistant credentials like passkeys.
Okay, you don't have to take the hyperbole so far it's obviously wrong.
They don't want your login to break, and a password vault could also break if you only had a password.