> That device. You want to permanently lock data to that thing?
This is why no passkey implementations do this: the mainstream implementations all require synchronization and if you read e.g. Apple’s iCloud documentation note that the offline recovery mode is designed for the case where all of your devices are lost:
Passkey synchronization provides convenience and redundancy in case of loss of a single device. However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. [...]
To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After they authenticate and respond, the user must enter their device passcode.[...]"
And we get back to knowledge based auth in the end.
Yes, but that’s like saying there’s no difference between a bicycle and a dump truck because they both have wheels and can go off road. Passkeys make an immediate, significant improvement for security and ease of use, and the disaster scenario is no worse, often better.
Recovery flows being based on knowledge based auth that requires multiple pieces of knowledge does not in any way reduce the extremely meaningful security improvements that passkeys bring for both users and Relying Parties on a daily basis.
This is why no passkey implementations do this: the mainstream implementations all require synchronization and if you read e.g. Apple’s iCloud documentation note that the offline recovery mode is designed for the case where all of your devices are lost:
https://support.apple.com/en-us/102195