[lxgr]

My keychain has two physical keys, and these change only every time I move.

Of passkeys, I have quite a bit more, with new ones added at least every few weeks. That makes them much harder to physically or even logically replicate one by one.

[afiori]

> My keychain has two physical keys, and these change only every time I move.

How often they change is irrelevant, the point is how you would recover them.

> Of passkeys, I have quite a bit more, with new ones added at least every few weeks. That makes them much harder to physically or even logically replicate one by one.

But what is your plan if you lose them? either you plan to never lose them (3.), you have a way to replace them (2.) or you accept the risk to get locked out (1.)

[lxgr]

> How often they change is irrelevant, the point is how you would recover them.

How is it irrelevant if I can only use my recovery authenticator for the services I’ve enrolled it in, yet enrolling multiple physically separated authenticators is a huge pain practically?

It’s like changing the locks on various doors in my house every other week and trying to have a copy of all keys with friends or relatives living out of town.

[jesseendahl]

Account recovery flows are generally entirely unaffected by the move from password to passkey.

It’s just your login credential.

If you lose either a password or a passkey, you do the same thing: reset and set a new one via email recovery.

[lxgr]

> If you lose either a password or a passkey, you do the same thing: reset and set a new one via email recovery.

If that’s an option (and it often really is!), why go through all the trouble of implementing passkeys and not just implement “login via email”?

For some services, that’s not secure enough though.