[taberiand]

Those issues are applicable to using password management tools generally, rather than specifically to passkeys, aren't they?

It sounds to me like passkeys are a simpler and more secure approach that apply within the existing context that requires unique complex passwords for every account.

In terms of solving those issues, a 1Password account configured on multiple devices with a secured accessible backup of the emergency toolkit has been a robust solution in my experience

[crote]

Not really. Every single password management tool allows plaintext export, so making a backup or transferring them to a different tool is trivial. You can even make a paper copy if you want to.

Passkeys, not so much. They are opaque blobs which are never supposed to leave the manager.

[megous]

> It sounds to me like passkeys are a simpler and more secure approach that apply within the existing context that requires unique complex passwords for every account.

It does not to me. It requires complicated cryptography/tools. Passwords are just directly usable information that are much easier to reason about and work with. I can ask a question about passwords and I can figure out the answer or soltuion for myself without looking up any standards, implementation details of someone elses software or wading through heaps of marketing bullshit.

Say I just want to temporarily share access to an account with someone? How? I know how with passwords. Give it out, change it later to revoke access.

Say I want to export access to just select few accounts (and not the rest) I'll be needing when doing X away from my devices to limit the possiblility of forced compromise. I know how with passwords.

How does backup and recovery work? Can I do it fully offline without invloving any third parties? Will I need anything other than a piece of paper? I know with passwords without looking anything up.

If it's anything, it's not simple compared to passwords. It may be better in a few aspects (or not) but it certainly is not simpler to think about.

The difference between password manager with unique passwords per account and this complicated crypto-thing seems very miniscule. You're either sharing a shared secret or you're proving a possession of a unique secret key per service.

The only difference is how things need to be handled if the service itself is hacked. If it only stores pubkeys, the user's secret keys can still be used for authentication. The problem with this thinking is that attacker may have swapped user's key on the server with his own, hijacking the account anyway. In any case this doesn't lead to compromise of any other services used by the user.

Also, FIDO2 can be used to force you to have to use a device you don't trully own for authentication, taking away your software freedom. Passwords can't be abused like this.

[stavros]

Most of your comment seems to be "I'd rather stay with an extremely insecure authentication scheme to avoid learning anything new".

[megous]

Yes, valuing simple and thus very robust things that you can have full control over is somehow something that can just have the explanation you've given, and nothing else. :)

[stavros]

Passwords are definitely simple and robust. Unfortunately, they aren't secure, a property we generally want in our authentication methods.

[megous]

> ...unique passwords per account...

[stavros]

Still not secure enough, sadly. They can be captured, leaked, stolen, phished, etc, and that's if you use them correctly.