Passkeys cannot be cryptographically reset, but plenty of providers have account recovery flows in case you lose your passkey. Without a recovery mechanism you’d be technically locked out, that’s true.
All I know is I have about a dozen sites that think I have a passkey that I can neither find nor replace, and I have another few that allow only one passkey per device even if I have multiple logins.
Yeah, the whole point of passkeys is for the user to not be able to control them. You're at the provider's mercy if you want to switch to another device.
Yeah you just allow setting a new passkey by sending an email link, just like password resets. Passkeys don't have to be remembered, can't be phished, and don't need 2FA.
That's highly misleading to outright misinformation.
> Passkeys don't have to be remembered
Because you need an app for the login flow. You also don't have to remember passwords if you use a password manager app.
> don't need 2FA
Not true, a second factor in the form of eg a biometric ID or PIN is mandatory.
Phishing resistance exists, but only truly so if you completely surrender control over your device and access to your credentials. Something that the same organizations who you'll depend on for Passkeys are actively pushing for through various initiatives.
No it is not. You’re free to save passkeys in your manager of choice and it still won’t let you use a passkey on the wrong website. Users are freed from having to copy&paste TOTPs. No app other than a browser needed.