[ufmace]

This, I find passkeys very difficult to understand.

It seems I can use my phone as my "passkey". Okay nice, that should mean I can use the same one on multiple devices, just like with a hardware Yubikey, right? Well apparently no. Use a phone as a passkey on one device for a web account, try to log into the same account on another device, using the phone passkey, and it doesn't work, claims there is no passkey. I can't see what passkeys are actually present on the phone, so I don't know what's wrong.

There's so many different ways to have and use passkeys, and no way to tell what the status is. I have no idea how the less-technical users are supposed to be able to figure this stuff out.

[tempnow987]

Totally - it's super confusing! Apple actually seems to let me plug my passkey into my device (including my phone) and then it works. But I'm not native apple - all my work stuff is Windows / Linux etc. And passkey is garbage there. I think even bitwarden is trying to hijack the passkey now. How is this a second factor? If my vault password is taken, and the passkeys are in the vault - then aren't you screwed.

The whole point of a little yubikey is that if someone gets my password, they also have to get the yubikey. The chances of that, while not zero, are MUCH smaller. And then I can do a little recovery envelope with a yubikey in it as a backup.