[selykg]

This is really no different between switching hardware devices.

Step 1. Sign in using your existing device

Step 2. Add your new device

Step 3. Remove your old device (or keep it for a backup)

And if you feel that's going to be a big issue for you, use a 3rd party software based tool like Bitwarden, 1Password, or other tools that have indicated they'll be supporting this. That info will sync between those software based tools and allow you to use whichever devices you wish, across multiple platforms with minimal effort.

[dane-pgp]

> Step 1. Sign in using your existing device

That's possible, unless you are switching device because your previous one broke (or was destroyed/stolen/lost).

I imagine that Apple has very precise data about the reasons why (and situations where) people switch from iOS to Android, and making that switch as unthinkable as possible is part of their user-retention efforts.

[selykg]

Sure, but here's the deal with this. Even with Yubikeys it has always been recommended (as long as I've been involved in these types of discussions anyway) that you should have two of them. If you lose one you have one safely secured that can get you into any service you need to.

This is my general stance on it as well, and one that I think I would still strongly recommend even in this new Passkeys era. That would cover situations where your device is damaged and you can't easily turn the old device on.

Part of this is solved by these keys being synced on each's services, they're synced via iCloud Keychain on Apple's side for instance, so you'd just need to get a new Apple device, sign into your iCloud account and provide the password for iCloud Keychain then you're off to the races. But if in the middle of this you opt to switch from Apple to Android, you're SOL unless you have a backup.

Just my two cents on it, I don't think any of this completely solves the need for backups, but for some portion of people it probably does, and that's those that are unlikely to switch between platforms.

[tjoff]

>If you lose one you have one safely secured that can get you into any service you need to.

Even that is not good enough, by a longshot. This is so much worse than even regular passwords.

It works for corporatiosn. Lost your key? Go to IT and generate a new one.

It does not work for individuals.

[potatoz2]

If you don’t trust yourself to have backup keys, you use the Google or Apple ecosystem. As long as you can get back into your Google or iCloud account, you can get back into every other passkey-protected website. You can also use third-party “cloud” password managers if you prefer.

WebAuthn lets you dial the convenience/security tradeoff exactly however you prefer. I’ll be using hardware tokens, but I’ll be telling non-technical people to use their existing smartphones.

[tjoff]

It's not that I don't trust myself to have backup keys it is that the workflow is completely broken.

You have to manually add each key on every service. And you can typically at best only add two keys.

It is not a working system for individuals.

[selykg]

You realize you can have multiple devices for Passkeys, right?

It’s webauthn. Which means you can have one or more of the following, in any mix you wish: yubikey, iPhone, Android device, password manager that has said they’ll support this (1Password, Bitwarden, Dashlane, and probably more).

Password managers will sync the private keys between devices as well. So, as long as you can access your password manager you should be able to use that.

[tjoff]

You can't sync between yubikeys so not sure what that would add to the mix.

[selykg]

Bro, you're just being difficult here.

You have choices now, whereas before you had basically one.

Yubikey offers you a hardware device specifically for this purpose. It can't be copied and it really is the definition of something you know and something you have. It has pros and cons, one of those cons being that if you want to use them you are stuck having multiple devices, one for a backup.

Don't like that con? Well, play the game a little and you have additional options coming. Such as the solutions from password managers and platforms like Apple and iOS. Add your sites in a password manager and it'll sync between devices, you basically only have to add one single thing (your password manager) and as long as you have password manager access you can sign in to those sites anywhere that your password manager is available, and where it isn't you gain the QR code passkey option that is being added.

You can mix and match this to your hearts content. Want to use a Yubikey as a backup? Add the device to your sites, stash it away where necessary. Yes, the con of having to add it to each site is still there but it is an option. Want to use all of these? Sure can. Add your iOS device, your password manager, and your Yubikey.

Want to only use one? Just add that device. But you might be foot gunning yourself without backups depending on which you use.

Stop being difficult and just use your head a little.