1. what's the backup login mechanism when you lose your mobile device?
2. with Passkeys enabled/used, will this stop google from randomly locking my account because I happen to be a person who travels a lot and they constantly think I'm a fraudster attempting to log into my own account.
3a. can I use my google passkey for logging into non-Google sites?
3b. can I use my google passkey (biometric) to log into sites that don't accept "Sign in with Google"? (meaning, other sites tap into my same enrolled passkey biometric)
4a. is the way to think about Passkey is that, it's basically turning your mobile device into an open-standard Yubikey? (meaning, Yubikey is a hardware biometric that you need to be in possession of to login. Passkeys turns your mobile phone to functionally perform the equivalent of Yubikey)
4b. Or is the way to think about passkeys is that’s it’s effectively just a password manager (like 1Password) that you use your biometric to unlock?
5. is FaceID a "passkey"?
6a. can a Passkey be paired with a mobile Drivers license, to effectively create an eID?
6b. if so, would this be a competitive threat to all the KYC offerings that exist in the world (because now you have a verified biometric login that can be used for new account openings)?
> 1. what's the backup login mechanism when you lose your mobile device?
Passkeys are synced to the cloud by default on iOS and Android, which is probably a good idea for many use cases, but might not be what you want in some instances.
> will this stop google from randomly locking my account because I happen to be a person who travels a lot and they constantly think I'm a fraudster attempting to log into my own account.
Probably not, but it will make it much easier to log back in – you won't even need to type your password if you use a 2FA-capable authenticator/passkey.
> 3a. can I use my google passkey for logging into non-Google sites?
No, a Passkey is bound to a website. But you can create as many of these as you want.
Like the commenter you are responding to, I still don't understand how any of this can possibly work in practice.
> Passkeys are synced to the cloud by default on iOS and Android, which is probably a good idea for many use cases, but might not be what you want in some instances.
OK, so how do I use my cloud synced passkey to log on to my Google account (which no longer has a password or other secret that I can back up locally) after I lose my phone?
> Probably not, but it will make it much easier to log back in – you won't even need to type your password if you use a 2FA-capable authenticator/passkey.
OK, but if the account is locked, that just gets them to display the "you're screwed" screen faster (since they don't need to wait for me to type a password), and the blast radius goes from just my Google account to all my other accounts, right?
> […] how do I use my cloud synced passkey to log on to my Google account (which no longer has a password or other secret that I can back up locally) after I lose my phone?
You don't, in the same way that you can't store the password to your password manager in your password manager. That's why having another way to log back in to your Passkey sync/backup account is crucial.
> OK, but if the account is locked, that just gets them to display the "you're screwed" screen faster (since they don't need to wait for me to type a password), and the blast radius goes from just my Google account to all my other accounts, right?
If you lose both access to your Google account and all of your devices that have your Passkeys locally synchronized, yes. The same goes for somebody taking over one synchronized device and remotely deleting all of your passkeys before you can take another device offline.
I'm personally pretty skeptical of passkey synchronization by default without a way to opt out, but I can see how availability might be just as big a concern for most non-technical users as security.
> Passkeys are synced to the cloud by default on iOS and Android, which is probably a good idea for many use cases, but might not be what you want in some instances.
Okay, but Google is suggesting logging into their account with a passkey, so how do I access the cloud if I lose the devices with my Google passkey?
> Passkeys use public key cryptography. Public key cryptography reduces the threat from potential data breaches. When a user creates a passkey with a site or application, this generates a public–private key pair on the user's device. Only the public key is stored by the site, but this alone is useless to an attacker. An attacker can't derive the user's private key from the data stored on the server, which is required to complete authentication.
> Because passkeys are bound to a website or app's identity, they're safe from phishing attacks. The browser and operating system ensure that a passkey can only be used with the website or app that created them. This frees users from being responsible for signing in to the genuine website or app.
Two is already handled by a good password manager (which every announcement of passkeys leaves out), so the real benefits are in one. Instead of providing the same password each time, you prove that you have your private key in a way only that website (or whatever holds the public key) can ask.
Among the many issues, I think the biggest is that this functionality is being locked behind these large corporations as gate keepers. Is anyone aware of any open source, self-hostable work to provide passkey functionality?
It seems to me not all of it could be since some implementations will require that you prove your private key is stored by a special chips that can be attested which you necessarily can't muck with or reproduce (at least without a lot of effort and maybe running afoul of laws). And there's nothing that guarantees that your keys can be take elsewhere unlike passwords which you can do whatever you want with.
Something else to keep in mind, when they talk about the guarantees of passkeys, they're talking about several other layers of technology. That's why password managers already offer a lot of the security being touted.
1. what's the backup login mechanism when you lose your mobile device?
2. with Passkeys enabled/used, will this stop google from randomly locking my account because I happen to be a person who travels a lot and they constantly think I'm a fraudster attempting to log into my own account.
3a. can I use my google passkey for logging into non-Google sites?
3b. can I use my google passkey (biometric) to log into sites that don't accept "Sign in with Google"? (meaning, other sites tap into my same enrolled passkey biometric)
4a. is the way to think about Passkey is that, it's basically turning your mobile device into an open-standard Yubikey? (meaning, Yubikey is a hardware biometric that you need to be in possession of to login. Passkeys turns your mobile phone to functionally perform the equivalent of Yubikey)
4b. Or is the way to think about passkeys is that’s it’s effectively just a password manager (like 1Password) that you use your biometric to unlock?
5. is FaceID a "passkey"?
6a. can a Passkey be paired with a mobile Drivers license, to effectively create an eID?
6b. if so, would this be a competitive threat to all the KYC offerings that exist in the world (because now you have a verified biometric login that can be used for new account openings)?