[davidkhess]

I think this is really great news and am glad to see FIDO move forward as I think it greatly increases account security.

One aspect of FIDO that could still be troublesome is account recovery in case of inadvertent loss of passkey. OOB recovery with SMS or email is considered too weak and the main recommended alternatives are to maintain multiple authenticators (i.e. multiple copies of your passkeys), re-run onboarding processes for new users or just abandon the account.

It's going to be interesting to see how those alternatives play out in real world situations.

[jeroenhd]

Reading this announcement, the idea seems to be that FIDO keys will be synchronised across devices. That means you can lose your phone and still get access to your accounts from your desktop.

You might even be able to get access by simply logging in to your Microsoft/Apple/Google account on a new device if they implement this system stupidly enough.

[davidkhess]

Yes, these will be stored in cloud storage like iCloud Keychain. But I can go into my iCloud Keychain and delete individual passkeys - or I may have only one Apple device and then lose it. Or some malware clears out all of my iCloud Keychain.

[microtonal]

One aspect of FIDO that could still be troublesome is account recovery in case of inadvertent loss of passkey.

I think the idea is that passkeys are synced between devices, see e.g.:

https://developer.apple.com/videos/play/wwdc2021/10106/

I haven't look deeply into passkey enough yet, but aren't we replacing "what if I lose by device" by "what if company XYZ decides to nuke my access to my synchronized passkey"?