Cellphones and USB keys can get lost / stolen. What's your recommendation on how to handle Passkeys to avoid losing control of your digital life if any / all of your devices get lost?
1Password, Apple, and maybe Chrome can sync them into the cloud so they become device-independent. Under such an implementation they're basically like a cloud password manager but instead of filling in a password for you, they just send the token.
I use the 1Password one and it's super convenient on several devices. Probably less secure than real 2fa or proper hardware encryption though. Basically replaces "something you know and something you have/are" with "something only they know".
(Security isn't my specialization, so somebody please correct me if I'm wrong).
My understanding is that two APIs talking to each other and exchanging one time tokens is better than the same APIs exchanging passwords. Passwords are susceptible to phishing attacks, rainbow tables, dumb password requirement policies, and also just basic fuckups like transmitting in clear text or not hashing and salting it.
Compared to time based software OTPs that 1Password also did, I don't see any security improvements there. But the user experience is better (one click instead of multiple).
Compared to gold standard 2fa (something you know AND something you are or have), I think passkeys are actually a downgrade. They wouldn't be if you used your hardware secure enclave as your key storage, but you can't do that if you want the convenience of cloud sync, so we're back to square one.
All in all it seems to me that passkeys primarily offer better convenience with good enough, not optimal, security. Which is probably the right balance IMO.
I use the 1Password one and it's super convenient on several devices. Probably less secure than real 2fa or proper hardware encryption though. Basically replaces "something you know and something you have/are" with "something only they know".