Ricky MondelloOct 6, 2023

If you can drop a single device in a lake and lose your credential, it’s not a passkey. Passkeys are backed up and synced across your devices to deliver a great and safe user experience, while also eliminating phishing.

If it’s device-bound, it’s not a passkey. :)

Show threadConlan Spangler
@rmondello What if you lose all your devices? (This is a real question, not rhetorical. I don't fully understand how passkeys work.)
Oct 6, 2023 at 3:19pmIvory for Mac
Show threadThomas BroyerOct 6, 2023
@conlan @rmondello Because they sync through a cloud account, you should have backups for that account: a way to gain access from a new device after you lost all the others (could use a security key, MFA recovery codes, a recovery email, designate a couple close friends as recovery accounts, etc. depends on what the cloud service provides)
Show threadConlan SpanglerOct 6, 2023
@tbroyer @rmondello Does that not weaken the security? Feel free to point me to a good explainer video or something… I think the complexity of passkeys may put off normal people from switching to them. (I'm speaking as someone who has started transitioning to them because they seem better than passwords, even if I don't completely understand the mechanisms.)
Show threadThomas BroyerOct 6, 2023
@conlan @rmondello This is similar to using a password manager, except you store passkeys into it rather than passwords, and this improves security everywhere you'll use passkeys rather than passwords. But you need to keep an access to your password manager even in the event you lose all your devices (where you could have registered your fingerprints to unlock it for instance)
Show threadConlan SpanglerOct 6, 2023
@tbroyer @rmondello Yeah, I can see how that’s an improvement. Thanks.
Show threadNekodojoOct 7, 2023

@conlan @rmondello
Right now the answer is “same as you do for lost password” which is not very satisfying. The entire #passkeys passwordless revolution depends on still using a password AND MFA if you lose your main credentials.

Although having keys synchronized usually means there is a copy in the cloud somewhere that you can recover, thanks to Apple or #1password or whoever. It’s also not a bad idea to use a competing/separate system to generate a second #passkey for the most important sites in your life (email, bank, etc)

I think in the future there will still be a “one time code” even if passwords are dead and gone. Validate by email, or SMS, or security questions will still be around for my lifetime.

One thing that does show some hope of escaping the “knowing the secret” rat race is security keys like #yubikey. Which right now are not well-known and not well-supported by everyone but are growing.

So there’s a handful of answers to the question but none great.