[xmdx]

Is the whole idea of syncing passkeys a bad idea? Or at least a less secure idea. Someone explained to me that passkeys are hardware backed, each passkey is stored on device and tied to the hardware, so even if someone managed to get access to it, they would also need the hardware to get it to work. These software based keys that can be synced are less secure as a result. Then it just becomes like a password again.

I need to read up a bit more on passkeys in general tbh.

[WorldMaker]

Passkeys as a brand include both hardware-backed keys that can't be exported and are device-specific. These can be used for things like 2FA/MFA-type scenarios. They also involve a lot of site-specific keys that may not be hardware-backed and syncable. The neat fun thing is that they can be synced with hardware-backed keys for strong E2E between a user's enrolled devices and only the user's enrolled devices (plus maybe a hard to use recovery key). (That's basically how iCloud's Password/Passkey store and a lot of iCloud E2E in general seems to work.)

Passkeys in general, especially the focus on a lot of site-specific E2E shared ones, are very much "just like a password", but as the sibling comment points out, the switch to PKI alone is a huge security win and would stop a lot of the haveibeenpwned sorts of leaks and the overall attractiveness to crackers to break into various company's password databases, because only having a public key is a lot less useful than a salted/hashed password that might be broken or found in a rainbow table.

[stavros]

It is less secure, but more convenient. You can pick either option. Or you can have both with delegation ("your husband is trying to log in as you on www.google.com, allow?").

[whatyesaid]

I think passkeys + 2FA is enough. Just enforce 2FA for any important service and it will be fine, if you don't force it then people who aren't as tech savvy will not do it or people may forget.

For anything non-important I actually use sign in with Google, so.