Does PAKE protect against scenarios like "password written on sticky note", "fake login page hosted at login.nnicrosoft.com", or "scammer impersonating IT staff"?

From the first, no.

It does handle the second and third, IIRC.

It doesn't handle these either - what stops the user from entering their password on an attacker-controlled phishing page?

Passkeys work because the user can't be tricked into entering their private key on a phishing website.

Browsers could help with this. They just don't.

Where's the vendor lock-in?

Cloud sync.

That's not an inherent feature of passkeys.

True, but you either have that or a catastrophic loss of identity if you lose it.

Only if you tie your identity to a single cloud provider?

I mean if you don't gave cloud sync, then if you lose your phone, you have lost those passkeys.

If I lose my only front door key, I can't get into my house.

This is why I keep a spare.

> If I lose my only front door key, I can't get into my house.

You can pay a locksmith to pick (and rekey) the door lock. You can even break down the door and replace it later. None of that is an option with passkeys.

In this metaphor, these are the "forgotten password" or "recovery key" flows.

Your argument is exactly why people conflate passkeys with cloud syncing and vendor lock-in.

I have passkeys. I lost my phone. I did not lose my identities.

Do you have cloud sync? My point was that it is one or the other.

I don't. So your point isn't based in truth. I just used another device which also had passkeys, and then provisioned new ones on the new device.

Ah, the magic of having two of them! Truly a revolutionary experience.

I just used my physical tokens or my laptop or desktop to authenticate my new phone.