[frogsRnice]

Ive also seen some pretty terrible implementations that don’t even allow end users to manage enrolled devices; so if someone steals your authenticator they have access to your account indefinitely.

Personally I like the benefits passkeys offer but some work still needs to be done around management of enrolled devices

[jesseendahl]

>so if someone steals your authenticator they have access to your account indefinitely.

If a user's device is compromised, an attacker can also install a keylogger and steal all their passwords, or better yet steal all their cookies/sessions.

Once a device is compromised, it doesn't really matter what type of credential you're using to authenticate/login with.

But also, if device compromise is what it takes to steal a user's credential, then that would be amazing becuse it would mean that the goal posts have been moved dramatically in terms of attacker effort. Today, attackers only have to focus on either hacking/attacking 1 service or spin up a single phishing page, and they can mount attacks targeting hundreds of thousands of users with minimal effort.

If passkeys mean that all of a sudden the attackers need to try to compromise hundreds of thousands of unique endpoints/devices, then the amount of resources and effort they need to expend to compromise the same number of users will be raised astronomically. That's a win.

[frogsRnice]

Fair enough on the device compromise point, that said the implementation is still terrible and illustrates what I would be worried about-

Maybe more succinctly put, how a credential is initially enrolled, managed and finally removed is an implementation detail which leaves room for funky implementations like the above.

I do agree that it is an improvement over passwords though. Furthermore I guess the same applies to password based logins where everybody just kind of wings it anyway.