[drdaeman]

All those issues were obvious from the day zero, and raised multiple times by many people. They're deliberately ignored by the stakeholders.

They strongly want to lock you in to their own authentication platforms (iCloud Keychain, Windows Hello, 1Password*), that's why they don't want to address this.

It's impossible they're not aware about those issues. Anyone with a brain and some technical expertise would come up with those questions in an evening or two, and Passkeys were worked on for months. To best of my awareness, there is no official acknowledgement (support replies "no, you can't do this" doesn't count, that's just restating facts, not acknowledging an issue).

*) Ok, 1Password says they're all about user freedoms and that it's up to user to decide where they store their passkeys - but that's what they say, not what they do. What they do is indistinguishable from Apple and Microsoft.

[jesseendahl]

You can recover access to your iCloud Keychain even if you've lost 100% of your devices.

See the section titled "Recovery security" in this article:

https://support.apple.com/en-us/102195

Relevant excerpt for those too lazy to click through:

"However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple."

[drdaeman]

If I understand it correctly, this only works on another Apple device, though. So you'll need a spare iPhone or something.

Also, I'm pretty sure if Apple decides to block your iCloud account, you're most likely SOL.

[vorpalhex]

> To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number.

[skarra]

On account recovery, the user is strictly no worse off with passkeys relative to passwords and arguably actually better off in many cases. This is not what I'd call deliberately ignoring concerns.

[drdaeman]

Yes, but if you had to resort to recovery you’re already past Passkeys or passwords. Recovery is not exactly in either’s spec, it’s a separate matter. Saying “but recovery is the same” is pointless - sure it is, by definition, because it’s out of scope.

Passkeys make it more likely that you’ll have to resort to account recovery, because it’s explicitly easier to lose passkey access than a password access (assuming that all platforms that implement passkeys implement password management as well, and that every password manager allows “export” by showing password to a naked eye).

One can write a copy of their password in a notebook and use it from anything with a keyboard and network connection. This mechanism is built in.

Passkeys are explicitly worse in this regard, as they don’t address export at all. Some implementations may be at par, but the overall spec is strictly worse, as it fails to address number of obvious issues.