[maple3142]

It sounds really really inconvenient when you have a lot of accounts on different websites. Imagine login to add new passkey andremove the old passkey for 100 websites (and my password manager already stores much more than 100 accounts).

[bayindirh]

Yes, I'm aware that it's very inconvenient. I did the same for my TOTP codes because Google Authenticator didn't restore your keys if your devices were different.

So, I had to manually migrate TOTP secrets from 30+ accounts back then, by removing 2FA, and re-enabling it with a new secret.

As I said before, it's a sliding scale trading off between security and convenience. Select your poison and its dosage, and do your own cocktail.

Or, providers will develop a workflow to migrate or add new devices easily. Like "validate on another validated device to add this new passkey" scheme.

[wkat4242]

I know, I use yubikeys for all my important stuff.

But I view passkeys as more for the low-hanging fruit. All the crap accounts that every webshop and news outlet makes you create these days. I have 500+ accounts in my current password manager. Not being able to migrate that away to another service would be a nightmare. Being locked in with a big tech company would be too.

What my ideal would be is to have the master key on multiple HSMs (like multiple yubikeys) so they are safe but mobile.

Also, if software password managers don't offer export options it doesn't mean it's impossible to export. They just don't want to make it possible. But an adversary could. The only way to really make it impossible is hardware tokens which is great for important stuff but not really for those thirteen in a dozen accounts.

[EvanAnderson]

> What my ideal would be is to have the master key on multiple HSMs (like multiple yubikeys) so they are safe but mobile.

That would be glorious. It would be great if it was standards-based, too, to prevent vendor lock-in.