> your usecase was different because you have several devices
So we just normalize having multiple devices, and suddenly my use case is the same as everyone else's.
Its not like I'm talking about everyone having a dozen $1,000 devices. Several of my authenticators were like $20-30 and have lasted over a decade even getting thrown in the washing machine and getting left in the rain and dropped in the pool. One was on my keys when I was daily driving a motorcycle in a rainy season and still works a decade later.
People don't find it weird to have two car keys and those things often cost hundreds of dollars these days to be replaced.
People aren't going to buy little usb sticks, some phones don't even have usb ports and the NFC or bluetooth connection never works properly. Also generally even having multiple devices isn't going to save you when you really need saving. Like in a house fire or while on vacation and your phone breaks, who really keeps a second phone around constantly with all the passkeys on it, like e.g in your hotel room? Then what if someone breaks in and steals your backup phone, now you have to invalidate all those passkeys somehow right?
I also don't know whether there is even any recovery process planned or possible, I guess not? So why on earth would I pick a new system like passkeys where I can't just have Google email me a new password vs. a system where that is impossible? Effectively my email account is like a second device in the password system which is far easier to carry around than a physical device. Sure a second, different email account could get itself password guessed but the chances of that are so small, it's pointless to think about and even if it does get hacked, even then it probably wont matter because it will only get used during recovery processes for a few seconds.
It also still doesn't answer the question around how I would know whether the passkey I created on a different device will work. One time a login process on Windows told me to use a QR scanner via my phone and then I got logged in. Okay so did that create a new passkey now and where? Both devices were involved in the login process, it was unclear to me. Maybe it was also the registration process, they are so similar now that I can't remember.
I guess maybe half the problem is that the proposition seems so strange: We are being told that all of a sudden having multiple "passwords" for the same account is actually great, it's secure. In fact: Just have a new password for the same account on every device, you can just keep creating new passkeys and it's no problem at all?! Oh and btw, if you lose any one of those your entire account is utterly compromised and good luck figuring out which of those passkeys you have to invalidate now. Somehow this is okay and secure.
Tons of people walk around with lots of little hardware security modules every day. They've got a wallet full of chipped credit cards, they've got car keys with transponders, etc. What's one other piece of plastic on the keyring? What's one more card in the wallet?
> some phones don't even have usb ports
Practically no smartphone sold today has no USB ports. And besides, we're talking about activating a new phone, so chances are that new phone is going to have a working USB port.
If they don't even own a smartphone and don't want to own one, well, then sure I'd agree they maybe shouldn't use passkeys. But if they're not using a smartphone they're probably not too worried about logging into their iCloud account or Google account or whatever on their dumbphone. So I don't see the issue of their dumbphone not being able to log into the services which aren't supported on the device anyways.
I'm not necessarily arguing they're for everyone, but they do apply to most people in most developed countries. They should be an optional way to access your account.
> on vacation and your phone breaks, who really keeps a second phone around constantly
It's not a second phone, its either the yubikey on my keys probably still in a bag/safe in the room if I flew somewhere or it's in my pocket.
> someone breaks in and steals your backup phone
Yeah, I'd probably want to go about disabling it eventually. But generally, I'm not too worried in the immediate time. You need to unlock the device to get access to the passkeys. If you fail too many times, you're not getting access to the passkeys, ever.
> Effectively my email account is like a second device in the password system
So effectively all your accounts are protected by a single password that's available to have people attempt your password anywhere, anytime, pretty much however fast they want to.
> Sure a second, different email account could get itself password guessed but the chances of that are so small
As someone who's managed email for a lot of people, it's really not that small of a chance if it's just a password to an email account.
The only thing I'd potentially be really worried about is a house fire, but pretty much every important account of mine has backup passphrases in the fire-resistant safe. I do live just down the street from the fire station though, so the odds of a fire burning up all my stuff including everything in the fire resistant safe seems pretty low. Probably lower than your everything in your life email protected by just a password getting hacked.
So we just normalize having multiple devices, and suddenly my use case is the same as everyone else's.
Its not like I'm talking about everyone having a dozen $1,000 devices. Several of my authenticators were like $20-30 and have lasted over a decade even getting thrown in the washing machine and getting left in the rain and dropped in the pool. One was on my keys when I was daily driving a motorcycle in a rainy season and still works a decade later.
People don't find it weird to have two car keys and those things often cost hundreds of dollars these days to be replaced.