[geoelectric]

Re you not being sure how sync would work with multi-device passkeys, you can share a passkey between devices with 1Password, Apple’s Keychain, etc, and use it to log in from any of them. I typically do this rather than manage them per-machine.

Per-machine passkeys would ostensibly be better hygiene, but only if I somehow kept them unsynced (easier said than done if you’re using Keychain). Having to manage that process would probably be more mistake-prone than just using the single passkey from my encrypted 1Password store.

[zigzag312]

Yeah, multi-device passkeys are easy to sync. Per-machine passkeys sync would be interesting, as it could not just copy the private key (as then it wouldn't be per-machine anymore), but would need to generate a new passkey for each synced device.

For example, if user has two devices with same password manager. To sync per-machine passkey from 1st to 2nd device, the password manager would have to initiate authentication with the service on the 2nd device and confirm it from the 1st device. I guess this process could be fully automated.

The advantage is that this enables disabling passkey for a specific device. If a device is stolen, a password/passkey manager could be used to disable all passkeys tied to that device.

Another advantage is that a private key doesn't need to be shared with a third-party. A cloud service provider doesn't need to ever see your private key, unless you also want to have a cloud based backup. But the passkey backed on the cloud would need to be an unique keypair and maybe even have a different authorization policy (e.g. requiring another authentication factor when using it).