They're screwed, but that already happens. You have no idea how many people lose their phone or forget some password and just get a new phone/account, without trying to recover the old one.
Parents who lost their child's photos and are like oh well.
Assuming a normal user doesn't use the same password everywhere (which means everyone already knows their password), the alternative is saving them. Lost password or lost passkey doesn't make much difference.
Computing literacy is low so people will just suffer the consequences.
Until the passkey workflow goes sideways for "tech" people I don't think the risks will be acknowledged (if then even).
Those of us who don't want the let Google, Apple, or Microsoft manage our passkeys (i.e. pledging our fealty to our lords) will be seen as fringe lunatics.
I'll keep my workflow of always visiting sites by typing the URL myself, using a password manager, and TOTP 2FA w/ the secrets saved offline on paper. At least until I'm not allowed to do that anymore.
Same here, I don't like passkeys for many reasons. Another reason is that I can't see the key that I'm using. Therefore: What if Bitwarden doesn't pick up the passkey? Tough luck, I'm out of options. I cannot manually create a passkey entry in Bitwarden because it's all hidden magic. If I notice that the password manager doesn't pick up a registration then I just add it myself. Not possible with passkeys.
All of the major implementations sync across all of your devices and use recovery codes as part of the setup process. Apple’s implementation is designed to cover loss of all devices, and I’d assume the others are similar:
The key thing to understand is that passkeys are not intended to be as secure as hardware tokens but to be more secure than traditional passwords with phishing-friendly MFA. That allows them to offer better recovery options but might not be good enough if you are the target of a serious actor.
That depends on whether you need to have an active account to use your existing devices. For example, an Apple user would need to migrate before things fall out of sync but they have a full copy on every device.
The fallback path here is what you’d do with any other MFA loss. It’s not a federated login system so you’d be looking at some kind of account recovery process for each of the sites where you used your passkey, just like you would if you lost a Yubikey or changed phone numbers.
This is incorrect, there is no fallback once they have shut you out. The correct answer is to not use a passkey that's managed by the device ecosystem.
Citation? Are you conflating losing access to your iCloud account with a remote-wipe? I’ve used devices which had synced passkeys when iCloud was disabled (MDM gaffe) or unavailable due to a password change, and the credentials which had already been synced continued to work without issue.
> The fallback path here is what you'd do with any other MFA loss.
Which, in many cases, is avoid MFA because it's less secure. Yes, less secure because availability is part of security.
And I don't have a better plan to store all those recovery codes than to store all those passwords. So the attacker can still get in with the same effort, but I have to keep getting my phone. No thank you.
I agree that storing recovery codes is a pain point, but they're fundamentally different from passwords in that you don't need to use them for each login. That allows you to put them in cold storage, whether that's an encrypted flash drive, a piece of paper, a box buried in your back yard, or whatever else you want. Doing the same thing for information you need on each login would be ridiculous, but for a once-in-a-blue-moon recovery situation, the lack of convenient access is fine.
> Yes, less secure because availability is part of security.
This is too often forgotten. Availability is a fundamental part of security and must be part of every threat model.
And your threat model needs to be matched with what it is being protected. One size does not fit all.
For example to log in to my brokerage account, I may be ok with a solution where I might lock myself out and have to go to a physical branch to restore access. Because while that would be a pain, it's better than having my life savings stolen.
But to log in to, say, facebook? Availability and convenience is #1 above all, it's just cat videos and other extremely low value stuff so it's not worth any inconvenience.
It’s easier to print things and you have clear instructions telling you why it’s important.
The key here is thinking about relative risk: many people get compromised by reusing passwords or being phished every day compared to the number of people who simultaneously lose all of their devices and recovery codes.
One confound is that many people don’t own a personal printer because they have access to one at their library, job, friend’s home, etc. and that’s fine for something you do once and likely never use over your lifetime.
Parents who lost their child's photos and are like oh well.
Assuming a normal user doesn't use the same password everywhere (which means everyone already knows their password), the alternative is saving them. Lost password or lost passkey doesn't make much difference.
Computing literacy is low so people will just suffer the consequences.