[jorvi]

That is very rarely how passkeys work.

You chose a worst case example and are comparing it with your best case example.

Virtually all sites have one passkey, tied to your vault of choice (Apple, Google, 1Password, etc). You make one, and you can use it everywhere.

Passkeys are a blessing for your regular Joe. No more easy phishing, and no passwords to forget. Often even no username to forget.

Apples-to-apples, passkeys rock.

[probably_wrong]

> Passkeys are a blessing for your regular Joe.

I've had two regular Joes come to me because Google locked them out of their accounts (plus a third one with Apple) and they had important emails they couldn't get to. The "solution" in all cases ended up being a total loss and starting from scratch.

Now when Google locks them out of their account with no recourse (or, more likely, when their phone dies without backup) not only do their lose their email, but also every other service they ever signed up for.

Passkeys may be better when everything works right, but password managers are miles ahead when something goes wrong.

[jorvi]

Google aggressively forces you to add your phone number or a backup email, multiple pop-ups per month. When you make a passkey they again aggressively try to force you to have backup access methods. You really have to put in a good effort to lock yourself out.

If regular Joe configured a TOTP and then ignores the huge warnings about not saving the backup codes, are you going to blame the service or him?

[probably_wrong]

> You really have to put in a good effort to lock yourself out.

When Google and Apple block you, you stay blocked for good regardless of how many backup measures you provide. An Apple representative literally told me once that I needed to provide the phone number of the thief who stole my brother's phone if I wanted to regain access to iCloud; Google asked for my password and backup email only for their system to say "that's not enough to let you in, but there are no other methods so you're SOL".

Even in more "normal" situations, how much do I need to pay to get someone at Google to check my identity (possibly with official ID) and restore my account? Answer: None, because that's not a service Google offers - you can try to sign up for a paid plan, but even then there's no guarantee that they'll listen to you.

Any system that depends on FAANG companies is a system where you can find yourself locked out without recourse. I definitely blame the service.

[jorvi]

Oh, you mean being locked out by the vendor, not accidentally locking yourself out.

Yes, that sucks. I have an old account at a FAANG they won't allow me to log in to despite me knowing the current password, my old passwords and the old e-mail. But it is partly my own fault because I changed the e-mail and phone number to a fake one.

I will say that getting locked out (= banned) by Google or Apple usually means you're doing something odd or even seedy. Of all the regular people I'm acquainted with, it hasn't happened to anyone, ever. And that's gotta easily be 100+ people. However people like dropshippers, grey hats, OF models etc etc any people with irregular cash flows or e-mail traffic definitely run a risk.