[acdha]

All of the major implementations sync across all of your devices and use recovery codes as part of the setup process. Apple’s implementation is designed to cover loss of all devices, and I’d assume the others are similar:

https://support.apple.com/guide/security/escrow-security-for...

The key thing to understand is that passkeys are not intended to be as secure as hardware tokens but to be more secure than traditional passwords with phishing-friendly MFA. That allows them to offer better recovery options but might not be good enough if you are the target of a serious actor.

[leipert]

What if the provider of the major implementation decides to shut you out of your account?

[acdha]

That depends on whether you need to have an active account to use your existing devices. For example, an Apple user would need to migrate before things fall out of sync but they have a full copy on every device.

The fallback path here is what you’d do with any other MFA loss. It’s not a federated login system so you’d be looking at some kind of account recovery process for each of the sites where you used your passkey, just like you would if you lost a Yubikey or changed phone numbers.

[politelemon]

This is incorrect, there is no fallback once they have shut you out. The correct answer is to not use a passkey that's managed by the device ecosystem.

[acdha]

Citation? Are you conflating losing access to your iCloud account with a remote-wipe? I’ve used devices which had synced passkeys when iCloud was disabled (MDM gaffe) or unavailable due to a password change, and the credentials which had already been synced continued to work without issue.

[immibis]

> The fallback path here is what you'd do with any other MFA loss.

Which, in many cases, is avoid MFA because it's less secure. Yes, less secure because availability is part of security.

And I don't have a better plan to store all those recovery codes than to store all those passwords. So the attacker can still get in with the same effort, but I have to keep getting my phone. No thank you.

[TheBicPen]

I agree that storing recovery codes is a pain point, but they're fundamentally different from passwords in that you don't need to use them for each login. That allows you to put them in cold storage, whether that's an encrypted flash drive, a piece of paper, a box buried in your back yard, or whatever else you want. Doing the same thing for information you need on each login would be ridiculous, but for a once-in-a-blue-moon recovery situation, the lack of convenient access is fine.

[jjav]

> Yes, less secure because availability is part of security.

This is too often forgotten. Availability is a fundamental part of security and must be part of every threat model.

And your threat model needs to be matched with what it is being protected. One size does not fit all.

For example to log in to my brokerage account, I may be ok with a solution where I might lock myself out and have to go to a physical branch to restore access. Because while that would be a pain, it's better than having my life savings stolen.

But to log in to, say, facebook? Availability and convenience is #1 above all, it's just cat videos and other extremely low value stuff so it's not worth any inconvenience.

[skybrian]

Well, it's true that a password manager is a single point of failure.

If you have two password managers then they can serve as backups for each other. Unfortunately that means you have to register each account twice.

[precommunicator]

Just use a password manager that allows you to have a local copy of everything (e.g. KeePass) and just back it up as any other file

[skybrian]

That could work, assuming your usual file backup methods are secure enough and it doesn't create a circular dependency.

[demarq]

We can’t trust users to not re use a password, why do we expect they will go through the effort of storing / understanding recovery codes?

[acdha]

It’s easier to print things and you have clear instructions telling you why it’s important.

The key here is thinking about relative risk: many people get compromised by reusing passwords or being phished every day compared to the number of people who simultaneously lose all of their devices and recovery codes.

[lolinder]

It's not easier to print things. Only about 60% of the population has a printer and that number is going down, not up.

[acdha]

One confound is that many people don’t own a personal printer because they have access to one at their library, job, friend’s home, etc. and that’s fine for something you do once and likely never use over your lifetime.