Just add more authenticators to every RP (site you auth into). From the point of view of an RP, "your account in the Apple ecosystem" here is the exact same thing as "one of your Yubikeys", basically.
That seems like an enormous pain if you have dozens or hundreds of services. It could take hours to do this one at a time. (I'm assuming one minute per service, though that depends on how hard it is to find the "add another authenticator" page for each service.)
It's possible I'm unaware that there is a simple protocol for this. Am I incorrect here?
You should always add at least two keys for every service in case you lose the first anyway. That was the case even before Apple passkey so just keep doing the same.
This isn't a great solution, as in order to enrol in new services you have to either retrieve your backup key from its safe storage location, or keep the backup key with you at all times (which defeats its purpose).
And if you do move away from Apple's Passkey to your second key, you'll want to buy and set up a new backup key. So have to do the tedious mass-enrollment anyway.
Let's say that I have two laptops, a MacBook Air and a Lenovo ThinkPad. I create an account with an Apple Passkey on a website. I can now log into my account on the MacBook Air, but not on the Lenovo ThinkPad.
How do I register my ThinkPad? I need to log into my existing account to add a new authenticator (Windows Hello in this case). Does the website offer an email link I can use to log into the account? Do I have a backup code that I need to use? Do I need to set a password and log in the normal way (thus removing the advertised phishing and database leak benefits)?
You are 100% correct that you need to add it to each service. This is a consequence of an intentional decision (keys cannot be duplicated). Streamlining it would definitely be an improvement.
That being said, it's not a problem in the real-world because FIDO is so sparsely supported. Hopefully PassKey speeds things along.
The relevant WebAuthn standard actually supports keys regardless of whether they can be duplicated. Even "virtual", software-only keys are supported. It's up to each individual service whether they allow the user to enroll such keys.
I should have been more specific. Test how many clicks it takes to add a key to one of your "mainstream" accounts. We would hope that services which support FIDO eventually gravitate to a single UX language, that also reduces the time taken to register new keys.
The goal of the recent initiatives is to create widespread passwordless authentication, so it seems likely that the number of services that support WebAuthn will grow dramatically over the next few years.
I also have hundreds of accounts. But there are ~10 services that are far more important to me and where I care a lot about security beyond passwords (Fastmail, Dropbox, GitHub, Google Apps, Bank, government websites, etc.). I use most of them already with an U2F key and I’ll use them with Passkey.
The hundreds of other sites will probably take years to support Passkeys (they don’t support U2F either). I can convert them when they support it and I happen to do something else account-wise.
It's possible I'm unaware that there is a simple protocol for this. Am I incorrect here?