[aborsy]

I’m not an expert in these protocols, but it’s the public key that is synced. There is no need for the private key leaving the device, in “asymmetric authentication”.

Syncing the private key is like “symmetric authentication”, where the hashed password is sent to the website. That’s the old way of authentication.

[yencabulator]

"Passkeys" are backed up into Google/Apple/1Password cloud. You can grab a fresh laptop and download your synced passkeys into it, and log in from there.

That being possible means the private key material has to be backed up, as opposed to being permanently locked into an HSM like Yubikey.

[aborsy]

No, only public key has to be synced, for that to be possible :)

Think of ssh keys. Only your public key has to be transferred to the server for you to login.

[yencabulator]

Take laptop A. With it, use a passkey to log into a website. Sync passkey with the FAANG of your choice. Destroy laptop A.

Take laptop B. Log in to your FAANG of choice, syncing passkeys locally. Use laptop B to log into the same website.

Your FAANG of choice saw much more than a public key, for that to be possible. That might have been encrypted by something like your password to the FAANG, but still, it's the opposite of a tamperproof HSM.