> I'm saying that the world which passkey advocates want is a world where if, for any reason, you can't log in with your passkey (due to a lost/broken device, a software bug, whatever), you'll be locked out of your account.
Can you point me to a citation or two where passkeys advocates claim that passwords must go away and/or account recovery mechanisms must be abolished?
Elsewhere in this thread [0], passkey advocates go on for quite a bit about how vulnerable passwords are to phishing. Really, any account recovery mechanism not linked to hardware would seem to be vulnerable to phishing in the way they don't want it to be.
Passkeys provide better security regardless of whether passwords continue to be supported. Two reasons off the top of my head:
• Passkeys stop phishing. Using your passkey instead of a password (when both are available) ensures you're actually signing in to the site/service you expect.
• Passkeys have zero value when leaked. Users' private keys remains secret and safe even when public keys are stolen and distributed.
That said, passwords aren't going extinct anytime soon. It will likely become more popular to require 2FA for password users in the meantime, as it should.
Passkeys don't stop phishing. If the user has both a password and a passkey to a service, a phishing site needs to just ask for a password and not mention passkeys and people will just enter their password.
>It will likely become more popular to require 2FA for password users in the meantime, as it should.
A lot of folks/services/engineers mistakenly think that layering 2FA on top of passwords will help defend against phishing attacks.
But attackers have been phishing 2FA codes since at least 2012 and it's gone from an advanced attack to bog-standard. The only way to defend against phishing attacks in 2024 is to use phishing-resistant credentials like passkeys.
Can you point me to a citation or two where passkeys advocates claim that passwords must go away and/or account recovery mechanisms must be abolished?