[cassianoleal]

> 98% of passkeys will be stored in cloud accounts with those providers.

They will also (and primarily) be stored in the individual devices, and don't need cloud access to the providers in order to be used.

In this sense, it solves one of the main issues with third-party sign-in, i.e. that if the provider decides to lock your account, you get locked out of any linked services.

> You can transfer that problem from your site to a cloud provider

With passkeys? How so? Are passkeys not just cryptographic key pairs? If your service associates a certain account to a certain public key, there's nothing an external cloud provider can do to solve the issue you describe.

It's possible I've missed something, like I said before I'm still wrapping my head around the whole thing.

[michaelt]

> If your service associates a certain account to a certain public key, there's nothing an external cloud provider can do to solve the issue you describe.

Without passkeys, if one of my users lost their "second factor" (e.g. lost phone) I had to provide a flow for them to get into their account despite that, while remaining secure.

With passkeys, users can restore their "second factor" from a cloud backup, so long as they can get access to that cloud backup. Hence, my lost-second-factor flow is outsourced to the user's cloud provider.

[pcthrowaway]

If your passkey is issued by Google on your Android device, and Google decides to revoke your account for violating some arcane term of service, how long until you lose access to services with those passkeys? At the very least, I imagine you lose it if you get a new device?