[obelus]

You can store passkeys directly in Proton Pass and access them via mobile or desktop (which doesn't require additional hardware).

You can also keep a backup on a Yubikey as a webauthn passkey, protected with a pin which will self destruct after enough failed attempts.

A passkey is a cryptographic key pair that stores a private key pair (encrypted) in password manager/server or on a Yubikey etc..) and a public key that is stored on the originating service.

[dalke]

Right, but my question was how to handle the "oh shit!" case where you need to start from scratch, like getting your things stolen when in another country.

Today I can connect to my email server using a library computer (or hotel guest computer, or rental business desk), log in with my password, and be able to contact someone who can help, or download a copy of the ticket for printout.

If I switch to passkeys, will this recovery method still work? Do I keep a Yubikey on a keychain? And USB A/C adapter?

Proton Pass seems to require installing something on the machine, which would seem to reduce the number of options I have.

[obelus]

I personally keep a Yubikey on my keychain (pin protected) with backups for critical webauthn/passkeys.

[dalke]

That requires being able to plug in your device, right?

How many such keys are needed? I'm guessing about 5? Give a couple to trusted friends, in case my residence burns down, keep one with me, and two at home as backup, because I know I'll lose things?

How often should I verify they still work? (Backups don't exist until you've restored, so I assume the same applies here?)

Everything I see about passkeys makes me think the failure mode can be more tragic than using passwords, and the use case is for people willing to trust Apple or Google.

I think I'm willing to trust Proton - for one, they support deGoogled Android - but I don't understand the risks in switching, or what backup practices I need.