[sebk]

1Password's and Dashlane's implementation keeps the key material and does crypto in software, meaning it's less isolated from the operating system than hardware-backed implementations. That might be an acceptable tradeoff for some, but definitely not for all, and I doubt that was the original intention of FIDO2 when it was designed -- the spec only mentions virtual authenticators in the context of testing.

I hope the FIDO alliance members come up with a solution that has both hardware backing and third-party vendors. I'd love to have 1Password syncing passkeys to Yubikeys or secure element that can be used independently of the 1Password app and subscription itself.

[jmcnulty]

My biggest anxiety with hardware-backed security is what happens if someone breaks into my house and steals my laptop and phone. Today I would buy a new laptop, login to Bitwarden using my strong memorised master password and carry on. If everything about me is linked to hardware-backed passkeys then my digital life walks out the door with the thief.

[sebk]

This is a totally valid concern. A mitigation is to have some other device or mechanism to generate a device that's part of sync fabric in escrow somewhere else. Of course, this introduces two new problems: Where do you keep it in escrow, and how do you authenticate to that escrow service given that your authenticators are gone. Safe deposit boxes are one alternative: They're authenticated by your presence and government-issued ID. Apple uses a 24-character key and keeps the encrypted record in its HSMs. Crypto wallets tend to use a 24-word recovery phrase to derive a key. These last two options you could also escrow with a third party or maybe even memorize.

For what it's worth, it's not an inherent problem with hardware backed security, at least not in the context that I was talking about. If you were using pure software implementations of WebAuthn, you could also authenticate to that sync fabric only using WebAuthn and you'd have that exact same problem you're describing.