alt Hacker NewsThe biggest problem I have with passkeys is being tied to a single device you still need a flow to reset/get in _without_ the passkey. As you're only as secure as your weakest link passkeys don't add any security.
That said, if you have a mac with a fingerprint scanner they sure are very convenient option.
And don't get me started on terrible vendors like Rippling that only support a single passkey! Madness.
Replies
I keep hearing it repeated, but where does this "tied to a single device" idea come from?
The default, built-for-the-masses implementation of passkeys is called "synced passkeys". They are designed to sync between all your enrolled devices, ideally using end-to-end encryption.
You authenticate with whatever device you happen to be using at the time - phone, tablet, laptop, desktop - doesn't matter. If you lose one, you replace that device and re-enroll - then all your passkeys magically re-appear on the new device.
If you're cross-platform, modern password managers work across ecosystems - for example, 1Password syncs passkeys between Mac, Windows, iOS, Android, and Linux. If you're all-in on Apple, their native passkey implementation syncs passkeys between all your Apple devices. I thought Google and Microsoft do something similar now.
It's a real mystery why people believe passkeys have to be stored on your phone only.
I dropped my phone and it literally fell apart. As a result I have been locked out of my AWS account. The get a phone call verification just does not work. Only saving grace is that it was an account I used to test things.