[kccqzy]

You didn't get my point. It's not the lack of security training, but the issue is that the security training focuses on intangible things like passwords, domain names, links, emails. Yubikey is the opportunity to break this model and focus on tangible and tactile things that exist in the physical world. A passkey synced using iCloud or Google account does not break that model and will continue to be less understandable for real users than Yubikeys.

There are plenty of cases where I know that people have misplaced Yubikeys. They might have a spare Yubikey. Or the equivalent to finding a locksmith is to log in with a non-passkey method. It's fine and in fact better if logging in without a passkey is considered an unusual fallback.

[godelski]

You're not getting my point though.

  > A passkey synced using iCloud or Google account does not break that model

Yes, yes it does. Have you seen how hard it is to recover these accounts? There's not uncommon HN posts that do get these solved, but only then by high visibility. A method most people do not have available to them.

  > Or the equivalent to finding a locksmith is to log in with a non-passkey method

Sure, it is just that the backup methods end up undermining the security key.

Both of these were mentioned in my post you originally responded to: https://news.ycombinator.com/item?id=43988957