The glee with which people say "and it's on your phone!" is what gets me.
Right: it's on the small device I take everywhere and use for everything. The one most likely to get lost, stolen or completely destroyed, and absolutely has to be replaced in about 5 years.
That device. You want to permanently lock data to that thing?
(My phone is basically disposable in terms of my expectations for it's future survival, and man do I not like the Android recovery options still)
> That device. You want to permanently lock data to that thing?
This is why no passkey implementations do this: the mainstream implementations all require synchronization and if you read e.g. Apple’s iCloud documentation note that the offline recovery mode is designed for the case where all of your devices are lost:
Passkey synchronization provides convenience and redundancy in case of loss of a single device. However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. [...]
To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After they authenticate and respond, the user must enter their device passcode.[...]"
And we get back to knowledge based auth in the end.
Yes, but that’s like saying there’s no difference between a bicycle and a dump truck because they both have wheels and can go off road. Passkeys make an immediate, significant improvement for security and ease of use, and the disaster scenario is no worse, often better.
Recovery flows being based on knowledge based auth that requires multiple pieces of knowledge does not in any way reduce the extremely meaningful security improvements that passkeys bring for both users and Relying Parties on a daily basis.
> Right: it's on the small device I take everywhere and use for everything.
So don't put it on only your phone, put it on your phone, your laptop, your desktop, and maybe a physical hardware token. Lose all but one and you're still fine.
I lost my phone. I don't bother with the cloud sync'd passkeys. I didn't lose any of my identities, because I had access through other devices.
I don't know how other providers deal with recovery, but if you use iCloud Keychain for storing/syncing your passkeys, Apple has a very impressive amount of recovery options, including an option for recovery even if you lose 100% of your devices.
See the section titled "Recovery security" in this support article:
If the giant meteor comes crashing down to destroy everything around me, I don't think I'll be that concerned about getting locked out of a video streaming site.
Even if I have a house fire. Small chance it'll actually destroy all my devices and paper recovery codes. And the odds of having that house fire is also pretty low.
If a tornado destroys my house, chances are my hardware tokens will survive. More of a question of where they ended up. A tornado destroyed my brother's house, his iPad ended up just fine.
I don't really live in an area where landslides are possible. If I did I'd probably want to plan around that with the passkeys. But that's true for a number of things at that point though.
What if every device hosting a password safe breaks?
Most people do not have a surplus of devices. They might only have a single phone which carries their life. A phone which at any moment could be lost, stolen, or destroyed.
A password safe, I can trivially backup however I wish. The cloud, a USB I keep at mom’s house, print it out, whatever (in fact, I do maintain encrypted offsite backups in a couple of locations).
> A password safe, I can trivially backup however I wish
Boy do I have good news for you then. Passkeys can often be stored in many available password safes. Bitwarden, KeepassXC, LastPass, 1Password, Dashlane, and more all support passkeys. Make one on whatever device, one in your password safe, and you'll have redundancy.
And I'm not talking about people needing to carry two $1,000 phones or a $1,000 phone and a $1,000 laptop. You could have your second key be a small, cheap (<$40), durable authenticator. Another thing on a keychain, another card in a wallet. Really that big of a deal?
And if that's truly impossible for you, then sure I'll agree passkeys might not be for you. I agree, some people like those who are homeless have a hard time keeping any material goods safe. I'm not arguing every account for every person needs to be only passkeys. But people here are acting like it's something impossible for nearly anyone to use safely. And I don't think that's based in reality. I think a lot of people could use them safely if they wanted to, but there's a massive amount of FUD about them.
Any solution which does not allow me full autonomy to maintain a backup is not acceptable.