@neuron @xssfox So, the basic idea is that your phone (or other mobile device) is your authentication method: Unlocking your phone during the login process logs you into whatever you're trying to use. But there's no direct interaction between devices, so it's more like simultaneously logging in from two separate devices in parallel, which means it requires the infrastructure and data access of a monopolistic megaplatform to work as securely as advertised in the first place. And when it works as advertised, it's really easy! But, just a sampler of the ways this can go wrong in practice, for normal people who aren't wealthy tech bros living specifically in major West Coast cities:
- You lost/broke your phone or someone stole it and you don't have a second phone sitting around but you need to be able to login to stuff to replace it.
- You lost/broke your phone or someone stole it and you can't afford to replace it immediately.
- You lost/broke your phone or someone stole it and you can't turn on cloud backups because the platform says it's not available in your country.
- Someone stole your phone and you *do* replace it, but your old phone is still out there and the thief did a sloppy job wiping it for resale, and the buyer uses it to set up their own passkey somewhere, and the platform flags this as suspicious and locks out *both of you*.
- The above scenario, but also the platform doesn't officially offer customer support in your country or language.
- You can't afford to buy a new phone every year or two and the platform arbitrarily decides your phone is too old to log you into stuff anymore.
- You *can* afford to buy a new phone every year or two, but only because the phones available to you are either used models, or the unsold leftovers from wealthier countries, so by the time you buy a new phone, it's considered "obsolete" by people on another continent who make a quarter million dollars a year.
- You're trying to login to something from a computer but your phone doesn't have internet access.
- You're trying to login to your computer but it doesn't have internet access so unlocking your phone is useless (seen this happen with Macbooks)
- The platform's geolocation data is inaccurate in your country and they think your phone and computer are arbitrarily too far apart even though you're literally holding them both.
- The platform decides they don't allow passkeys from your country but they forgot to tell you this until after you already set it up.

These are just the ones I *remember*. And this doesn't even factor in the basic concept of human mortality - I've been dealing with the mess passkeys cause in *that* scenario for *months*.

In short, my criteria for recommending passkeys is as follows:
- Do you live within 50 miles of San Francisco, CA or Seattle, WA and plan to stay there forever?
- Do you comfortably own at least two personal mobile devices and plan to continue to do so indefinitely?
- Does your annual salary have at least six digits?
- Do you trust at least one monopolistic megaplatform (Apple, Google, or Microsoft) to be a permanent, inescapable middleman in every attempt to login to things forever, and to indefinitely support the brand-new standard they championed?
- Do you plan to die alone and unloved with no surviving friends, family, or creative/business partners who might need access to something you locked behind a passkey?

If the answer to all of the above is "yes", then passkeys are for you!