[danShumway]

The FIDO Alliance can recommend whatever they want, but making multiple passkeys is not a substitute for import/export. It's a backup strategy for what happens if a device gets lost, it doesn't make it any easier to set up new devices.

Backup is an orthogonal problem to migration, and it's really weird that the FIDO alliance keeps treating them like they're the same problem.

You're still looking at a scenario here where if you buy a new phone without any passkeys on it and it's in a different ecosystem, you have to manually migrate every single site you have an account with. That's a huge accessibility problem for ordinary people, that's absolutely going to hinder adoption.

[WirelessGigabit]

To make matters worse, I don't even know on which websites I have my YubiKey registered.

I just checked mine, and it shows my Microsoft credentials and NVidia.

But I know for a fact that I also use it on Vanguard and BofA (which doesn't support keys on iOS in case you're wondering).

So I 1) cannot extract the masterkey from my YubiKey and move it to another one to make an exact duplicate 2) cannot discover the places where I registered my key

For SSH you can have a 'sk' key and a normal one [0]. I went with the normal one and moved it into the YubiKey, at least that way I have a backup sitting SOMEWHERE.

[0] https://cryptsus.com/blog/how-to-configure-openssh-with-yubi... (not affiliated at all)