| This will vary depending the provider, but you could think of passkeys getting synced between devices in much the same way that saved passwords get synced. Apparently Google's implementation stores an encrypted backup of the passkeys in your Google account [1]: > A single passkey identifies a particular user account on some online service. A user has different passkeys for different services. The user's operating systems, or software similar to today's password managers, provide user-friendly management of passkeys. From the user's point of view, using passkeys is very similar to using saved passwords, but with significantly better security. [...] > In some cases, for example, when the older device was lost or damaged, users may need to recover the end-to-end encryption keys from a secure online backup. > To recover the end-to-end encryption key, the user must provide the lock screen PIN, password, or pattern of another existing device that had access to those keys. Note, that restoring passkeys on a new device requires both being signed in to the Google Account and an existing device's screen lock. So, if you use Google to store passwords or passkeys, it would be a good idea to save backup codes for your Google account somewhere safe. (Like you should do anyway.) [1] https://security.googleblog.com/2022/10/SecurityofPasskeysin... |
Alternatively, if you're locked out of your Google account, these passkeys are also dead as the encryption keys are bound to the account. And passkey reset through email for instance would also probably out of question if it was your primary email account...
People should think long and hard about what services they assign passkeys with their Google accounts, it's a lot more binding than plain password or standard 2FA was.