[skarra]

Passkeys are a new technology and everyone - including users, service providers, and organizations - will take time to learn and adapt. In this interim period the recommended approach is to provide passkeys as an alternative to whatever is already offered. This is the approach that Google and many other service providers are taking.

That said, you are bringing up the right questions on the general topic of account recovery that everyone should be asking even without passkeys: "How would I login if I forget my password / lose access to my password manager / lose my second factor devices" and have a plan. Introduction and adoption of passkeys do not completely eliminate the need for thinking about your account recovery situation.

However, there is one special case where using passkeys is actually better for account recovery. If you create passkeys for your Google account on an Apple device with iCloud keychain, the passkeys are synched to your iCloud, so now even if you lose all your devices because your house burned down, as long as you have access to your iCloud account, you can just get all the passkeys for your Google accounts(and other websites).

Now, you may ask: 'what if I lose access to my Apple iCloud account" -> that's a fair question! Which is why I said Account Recovery concerns do not completely go away - but they can be significantly reduced with passkeys in many cases.

[drdaeman]

All those issues were obvious from the day zero, and raised multiple times by many people. They're deliberately ignored by the stakeholders.

They strongly want to lock you in to their own authentication platforms (iCloud Keychain, Windows Hello, 1Password*), that's why they don't want to address this.

It's impossible they're not aware about those issues. Anyone with a brain and some technical expertise would come up with those questions in an evening or two, and Passkeys were worked on for months. To best of my awareness, there is no official acknowledgement (support replies "no, you can't do this" doesn't count, that's just restating facts, not acknowledging an issue).

*) Ok, 1Password says they're all about user freedoms and that it's up to user to decide where they store their passkeys - but that's what they say, not what they do. What they do is indistinguishable from Apple and Microsoft.

[jesseendahl]

You can recover access to your iCloud Keychain even if you've lost 100% of your devices.

See the section titled "Recovery security" in this article:

https://support.apple.com/en-us/102195

Relevant excerpt for those too lazy to click through:

"However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple."

[drdaeman]

If I understand it correctly, this only works on another Apple device, though. So you'll need a spare iPhone or something.

Also, I'm pretty sure if Apple decides to block your iCloud account, you're most likely SOL.

[vorpalhex]

> To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number.

[skarra]

On account recovery, the user is strictly no worse off with passkeys relative to passwords and arguably actually better off in many cases. This is not what I'd call deliberately ignoring concerns.

[drdaeman]

Yes, but if you had to resort to recovery you’re already past Passkeys or passwords. Recovery is not exactly in either’s spec, it’s a separate matter. Saying “but recovery is the same” is pointless - sure it is, by definition, because it’s out of scope.

Passkeys make it more likely that you’ll have to resort to account recovery, because it’s explicitly easier to lose passkey access than a password access (assuming that all platforms that implement passkeys implement password management as well, and that every password manager allows “export” by showing password to a naked eye).

One can write a copy of their password in a notebook and use it from anything with a keyboard and network connection. This mechanism is built in.

Passkeys are explicitly worse in this regard, as they don’t address export at all. Some implementations may be at par, but the overall spec is strictly worse, as it fails to address number of obvious issues.

[jasonjayr]

How can a user, right now, take control + ownership of backing up their own pass keys, without iCloud or Google?

This is a privilege I currently enjoy right now, and one I am not really eager to give up.

[awegio]

It depends on your web browser. Just see what happens here https://webauthn.io/

Firefox on Desktop tells me to "touch my security key". Not sure how that works. Firefox Android gives me a few hardware options to store my passkey to. Chrome Desktop asks me to enable Bluetooth. Chrome Android asks which Google Account to use.

[Izkata]

Just tried that with Firefox on Android and while it works, I can't find any evidence of a stored passkey on my device, let alone a way to export it.

[grotorea]

Are on Linux? AFAIK it doesn't work on Desktop Linux.

[blitzar]

I use passkeys everywhere I find them. I do not take control or ownership of backing up - instead I have alternative 2fa or hardware key authentication with all those accounts.

For every account I have a hardware key for, there are 3 hardware keys associated with that account - 2 on-site, 1 off-site.

[rssoconnor]

How do you register your off-site hardware key. Did you have to go retrieve it each time you wanted to make an account?

I suppose every time one makes an account one can register the two on-site keys, and then rotate one of your on-site key to off-site and take the off-site key home with you, and then finally register it.

Maybe I should get a third key...

[blitzar]

I think you answered your own question! The three key is optimum for ease of rotating (or so you can carry one on person) - but if your house burns down with your phone in it - you will lose anything set up since your last offsite rotation.

Sounds paranoid / crazy - but I have 0 anxiety about being locked out of an account that matters.

[jasonjayr]

Which hardware keys are you using? And have you found any difficulty in adding multiple keys to a web site?

[blitzar]

Yubikey keys - zero difficulty adding multiple - if a site doesn't allow multiple I wouldn't lock my account down to a single point of failure. All the big players seem to offer it, and I can not recall any that didn't. Google in the "advanced protection" days forced you to have more than 2 keys for this reason.

By count of sites, most sites don't appear to take security that seriously so anything more than a password is off the cards, but the big ones - the ones that actually matter; email, cloud, etc. should all be able to be secured.

[vel0city]

I've got security keys on Yubikeys, Android devices, and Windows devices. Only one of these are Google.

[skarra]

Password managers like Dashlane and 1Password have announced support for storing and synching passkeys. As passkeys becomes more popular I expect more providers to step up as well.

Ecosystem lockin is not how we make a new technology like this successful. And all players in the game understand that.

[pseudalopex]

1Password does not give control and ownership.[1]

[1] https://news.ycombinator.com/item?id=37836783

[jasonjayr]

Appreciate the response. And I wish this message was front and center. The Attestation feature is what worries me, when, say, the bank turns it on for a few 'blessed' providers, or mandate a hardware implementation.

Watching https://github.com/keepassxreboot/keepassxc/issues/1870 with baited breath... :)

[skarra]

Your concern around attestation (mis)use is spot on. I'd say the industry is yet to arrive at an acceptable consensus or compromise on that question.

[shepherdjerred]

I use 1Password [0] for syncing passkeys, and it works quite well. I would imagine other password managers are building similar features.

[0]: https://support.1password.com/save-use-passkeys/

[pseudalopex]

1Password does not give control and ownership.[1]

[1] https://news.ycombinator.com/item?id=37836783

[vorpalhex]

Rearranging deck chairs on the titantic.

This whole scheme depends on either users being savvy enough to do vault backups or depending on service providers being functional.

Both are quite doomed.

Users have a path for passwords - they can write them down on paper and keep them with their important things. This tends to work for most folks.

The backup story for passkeys is horrible. There is no path for my elderly relatives who don't use cloud services.

Until that is fixed, passkeys will never replace passwords.

Don't forget password sharing! That is a whole screwed up story with passkeys too.

[skarra]

Passkeys represent the cumulative wisdom and experience (and compromises!) of the whole industry on how to keep users safe online. Appreciate your opinions that these efforts are doomed. It is safe to say, "We'll surely find out!"

[vorpalhex]

"The Industry" also has interests like making password sharing impossible, uniquely tracking users and _doesn't care_ if users get locked out.

The industry does not put users first. It puts it's own risk reduction first.

[skarra]

Did you know that Apple allows sharing passkeys via Airdrop?

[kiwijamo]

Doesn't that give access to everything you've signed in using that passkey? Rather than e.g. Sharing the password for the family Netflix account.

[rkeene2]

No... A passkey is specific to a context (RP), which is why they're not stored on things like Yubikeys (which I think a lot of people in this thread are confused about -- the keying material on the Yubikey isn't enough to create the passkey).

Your Netflix passkey is not the same as your passkey to other services. It's generated as soon as you enroll the passkey with Netflix (by calling "navigator.credentials.create()") and is identified by an opaque handle and also the public key (this is important, because you never get the public key again so you must keep both of these: the ID, and the Public Key, otherwise you can't verify a challenge-response, since you're only given an ID and a Digital Signature at that point).

For a site to use a passkey it calls "navigator.credentials.get({ publicKey: { challenge: ..., rpId: "<same_id_as_used_when_creating_like_netflix.com>" }, mediation: "silent" })"

Which returns the key ID and a signed version of the challenge, or an error.

Everywhere you authenticate you have one or more keys, identified by these opaque handles which are stored in the User Agent and associated with some mechanism for performing digital signatures with that unique key. The User Agent, generally, has to store and distribute this information if you want to use the same passkey across multiple devices -- even if you're using a Yubikey (because, again, it's not storing the key being used for the digital signature, it's storing a private key which is used in the process of generating the digital signature, but not the passkey's actual private key -- i.e., the secret part of the public key generated earlier)

[vorpalhex]

Only if you exchange contacts first and are ah.. in Airdrop range.

Your grandmom probably isn't gonna be airdropping a Netflix password.

[xg15]

Can I print out the passkey as a QR code and scan it back in on a different device?

[CogitoCogito]

> Passkeys represent the cumulative wisdom and experience (and compromises!) of the whole industry on how to keep users safe online.

That is true _if_ you do not highly weigh all the concerns that have been brought up in this thread today. I do not trust Google to help if things go wrong so why would I ever consider such a system wise? Frankly, you seem to be ignoring concerns if they contradict your belief that this system is better. I'm reminded of Upton Sinclair.

[pseudalopex]

Did you see they worked for Google? Or did you guess correctly?[1]

[1] https://news.ycombinator.com/item?id=37833206

[CogitoCogito]

> That said, you are bringing up the right questions on the general topic of account recovery that everyone should be asking even without passkeys: "How would I login if I forget my password / lose access to my password manager / lose my second factor devices" and have a plan. Introduction and adoption of passkeys do not completely eliminate the need for thinking about your account recovery situation.

Talk about victim blaming. Google and other companies introduce policies that make total identity lockout both easier and more problematic. Instead of investing in customer service to deal with this issue, the customer needs to "have a plan". What a crazy coincidence that this policy increases Google's profitability by decreasing support.

[pseudalopex]

You should disclose your employer more consistently.

[skarra]

I work on Google's authentication team. I have mentioned this elsewhere in the thread.

[pseudalopex]

Your other disclosure is why I said more consistently. Do you believe all readers will read all comments and index mentally by user name?

[LolWolf]

But you can set family members/significant others/etc as possible recovery mechanisms! This seems like a really workable solution that I don’t see people discussing in this thread?

[CatWChainsaw]

Aren't people lonelier than ever, have fewer friends than ever, live alone more than ever, fall out with their families more than ever?