[mcdeltat]

Genuine question: what if the recovery asks for a 2nd factor that's e.g. the device which you lost? Is that common?

Personally I don't really trust companies to not do a whoopsie and permanently lock you out when you lose credentials. Especially when the company is big or hard to access in person.

For someone like me who already uses a password manager for everything, passkeys seem to add no security while reducing usability and control.

[realityking]

> For someone like me who already uses a password manager for everything, passkeys seem to add no security while reducing usability and control.

One advantage of passkeys is that they’re phishing resistant. They’re bound to the website that you created them for, it’s impossible to use them for a different website.

[NekkoDroid]

> Genuine question: what if the recovery asks for a 2nd factor that's e.g. the device which you lost? Is that common?

Instagram does something similar. If you have no logged in device and you reset your password, good luck getting in, cuz it wants you to log in a device "it recognizes" else it won't let you log in.

[gzread]

Google does it too. You log in with your password and it says "please press the number 35 on your phone"