[secabeen]

This is accurate, but by putting your passkey backup with that external entity, you are putting all your keys in that basket. Passwords have an obvious, backup option with zero dependencies on third-parties: A printed list in a fire safe. I would not advise users go heavily with any passkey provider that does not provide a physical backup of a similar form that can be secured through non-technical means, and that can be used by an heir or attorney to act as you when you are unable to do so.

[kseifried]

The problem with that is people don't have fire safes. Or homes in some cases (e.g. many unhoused people have smartphones now). Also people need to travel and do recovery without having to fly home to their safe.

The idea that printing a backup is easy and an option for many people is often not the case.

[rtsil]

And that is why most people use a single, easy to remember password for everything: even if their house burns, their devices are gone and they no longer have their phone number, they can still remember their password.

For all of its many weaknesses, a password has that one major advantage over all the other authentication methods, and unless a new method provides a similar advantage, most people will keep using a password, just like they did even with the appearance of private keys, biometrics, USB tokens, SMS or TOTP.

[dsego]

And it's a hassle to keep it in sync. If you decide to update your password you need to remember to print out a copy and store it in the safe, oh and throw out the old one.

[xg15]

> (e.g. many unhoused people have smartphones now)

I go out on a limb and say one smartphone usually - that is at heightened risk of getting stolen. With passwords, the person would probably just pick something they can remember in case the phone gets stolen. With passkeys, what should they do?

[secabeen]

> The idea that printing a backup is easy and an option for many people is often not the case.

Fair enough, but that is an argument for multiple durable recovery and remediation solutions, which few of the current providers have.

[the_snooze]

Passkeys aren't inherently un-backup-able. I do agree though that the most common forms of it (e.g., Android/iOS/Windows secure enclave passkeys) need better ways of recovery and remediation.

That said, what you describe is easily doable in other forms. For hardware tokens, you can have a spare Yubikey that's authorized on your accounts and keep that in a fire safe with its unlock PIN. For something like 1Password, you can print out a recovery kit [1] with the secret key and unlock password.

[1] https://support.1password.com/emergency-kit/

[secabeen]

> Passkeys aren't inherently un-backup-able

Agreed, I'm just not willing to endorse their use until there are robust recovery and remediation processes.

> For something like 1Password, you can print out a recovery kit [1] with the secret key and unlock password.

Yeah, this is what I want Google/Appleto provide as it is robust to both user incapacity and provider refusal-of-service.

[goalieca]

> Agreed, I'm just not willing to endorse their use until there are robust recovery and remediation processes

They seem ripe for corporate use where ransomware and phishing are common threats and IT can manage account resets by walking over to their desk.