[kseifried]

Updated my paper:

https://news.ycombinator.com/item?id=37833390

Scenarios dealing with the loss of Passkeys:

The scenarios for dealing with the loss of Passkeys are effectively the same as dealing with the loss of your Password Manager (if you use one) or otherwise stored passwords.

Dealing with the loss of all your devices that use Passkeys If you manage to lose access to all your devices that are used to authenticate via Passkeys (e.g., a house fire), then there are two main outcomes: either you have your Passkeys synchronized to a cloud provider or other external entity that still has a copy of all your Passkeys, or you do not. If you do not have a backup of all your Passkeys, they are gone, and you will need to fall back to account recovery for each affected account. If you have a backup of your Passkeys, you would need to regain access to it on a new device and then synchronize the Passkeys to it and use them as normal.

Dealing with the loss of your accounts that synchronize and store Passkeys If you use a synchronization service attached to an account, it is possible that the account can be deleted or access to it otherwise lost. In this event, you would most likely still have a working copy of your Passkeys on your devices, and depending on whether or not you can export them or reconfigure synchronization with a new account, you would be able to add them to a new account, effectively creating a new account to store and synchronize your Passkeys.

Dealing with the loss of all your Passkeys

If your Passkey account is not only deleted but also tells all your devices to delete the Passkeys, or you lose all your devices and the accounts are deleted due to inactivity then you are basically in the same situation as having lost all your devices and not having a backup. You will need to fall back to account recovery for each affected account.

[secabeen]

This is accurate, but by putting your passkey backup with that external entity, you are putting all your keys in that basket. Passwords have an obvious, backup option with zero dependencies on third-parties: A printed list in a fire safe. I would not advise users go heavily with any passkey provider that does not provide a physical backup of a similar form that can be secured through non-technical means, and that can be used by an heir or attorney to act as you when you are unable to do so.

[kseifried]

The problem with that is people don't have fire safes. Or homes in some cases (e.g. many unhoused people have smartphones now). Also people need to travel and do recovery without having to fly home to their safe.

The idea that printing a backup is easy and an option for many people is often not the case.

[rtsil]

And that is why most people use a single, easy to remember password for everything: even if their house burns, their devices are gone and they no longer have their phone number, they can still remember their password.

For all of its many weaknesses, a password has that one major advantage over all the other authentication methods, and unless a new method provides a similar advantage, most people will keep using a password, just like they did even with the appearance of private keys, biometrics, USB tokens, SMS or TOTP.

[dsego]

And it's a hassle to keep it in sync. If you decide to update your password you need to remember to print out a copy and store it in the safe, oh and throw out the old one.

[xg15]

> (e.g. many unhoused people have smartphones now)

I go out on a limb and say one smartphone usually - that is at heightened risk of getting stolen. With passwords, the person would probably just pick something they can remember in case the phone gets stolen. With passkeys, what should they do?

[secabeen]

> The idea that printing a backup is easy and an option for many people is often not the case.

Fair enough, but that is an argument for multiple durable recovery and remediation solutions, which few of the current providers have.

[the_snooze]

Passkeys aren't inherently un-backup-able. I do agree though that the most common forms of it (e.g., Android/iOS/Windows secure enclave passkeys) need better ways of recovery and remediation.

That said, what you describe is easily doable in other forms. For hardware tokens, you can have a spare Yubikey that's authorized on your accounts and keep that in a fire safe with its unlock PIN. For something like 1Password, you can print out a recovery kit [1] with the secret key and unlock password.

[1] https://support.1password.com/emergency-kit/

[secabeen]

> Passkeys aren't inherently un-backup-able

Agreed, I'm just not willing to endorse their use until there are robust recovery and remediation processes.

> For something like 1Password, you can print out a recovery kit [1] with the secret key and unlock password.

Yeah, this is what I want Google/Appleto provide as it is robust to both user incapacity and provider refusal-of-service.

[goalieca]

> Agreed, I'm just not willing to endorse their use until there are robust recovery and remediation processes

They seem ripe for corporate use where ransomware and phishing are common threats and IT can manage account resets by walking over to their desk.