I like to explain it like this:

If you use a password manager today, then you're already essentially using something you have, because you need to be in possession of your login database to retrieve passwords, and nobody can remember that in their head.

Passkeys is a formalization of the idea that you should be using a password manager where all the passwords are random uncrackable 32 character strings, and if we add this constraint then we can crazy secure things like employ asymmetric crypto to prevent phishing and MITM attacks, so woO!.

You are right to be concerned about the whole device thing though. Apple addresses this by requiring that you use/enable iCloud keychain in order to use passkeys. The generalized solution to this is allowing 3rd parties to be your passkey provider, so that you can choose how your passkeys are stored (cloud synced vs device bound) and e.g. whether you want an implementation where you can unlock them with one strong something you know, something you are, something your have, or any combination thereof, the only limit being the features/options the different 3rd party products will offer, depending on their target market, etc.

> The generalized solution to this is allowing 3rd parties to be your passkey provider, so that you can choose how your passkeys are stored

The password manager I use has no cloud component (which is why I chose it), and addresses this by allowing me to export my password collection to an encrypted backup file.

Would this be a thing that the passkey folks would be OK with? That would ease a lot of my hesitation.

> Would this be a thing that the passkey folks would be OK with? That would ease a lot of my hesitation.

I mean, I don't _like_ it (if I'm a passkey folk) as a widespread feature. I suspect users may be tricked into giving away the keys to the kingdom.

However, these are generally just API, there are open source projects for security keys, and having an option to hold down a button on insertion to have it turned into a filesystem with a CSV file sounds kinda neat as a bit of hackery.

There are several third party software implementations, such as those built on top of existing password managers which have pre-existing password export/import functionality and tend to document their data vault formats (or have them torn apart in reverse engineering). I suspect this will happen if it hasn't already - it would be better as a command-line tool and not a button with a wordy pop-up.

My hope is that we have independent certifications for relying parties to rely upon, but lack of certification won't lead to such a bespoke implementation being rejected by anyone. Instead, some sites may ask for you to continue using additional factors since they don't understand if your passkey meets their requirements.

If I'm understanding you correctly, then I should be able to write my own manager to behave in a fashion that is in line with my wishes. Is that correct? That would be a nice escape hatch to have available if need be.

> Instead, some sites may ask for you to continue using additional factors

On the other hand, if that's the result of doing that, then there'd be no gain. I'll end up going through the whole gauntlet anyway.

> On the other hand, if that's the result of doing that, then there'd be no gain.

Yeah, we'll just have to wait to see. Passkeys are just big enough and different enough that I think they are exposing a lot of the holes in existing modeling of authentication.

For example, a party may not want to rely on a separate piece of software or cloud-backed data for authentication, but that is the reality for password managers today, as well as text messages and TOTP for a lot of people. What are these factors that would always survive an attacker getting access to a user device and to their cloud account? You quickly find yourself in the realm of issued hardware key fobs and in-person identity verification for account recovery.

Yes you can just use a hardware FIDO token like a Yubikey as your passkey.

And you can enroll more than one, so if you lose or wreck one, you’re not locked out.

This is not really the same thing as what GP is asking? They're asking about backing up existing keys, you're talking about creating new ones. I can back up my entire password database just by copying a file. To "back up" a Yubikey I buy a new key then I individually visit every single site I have an account on and attach a new key one by one. That's not equivalent.

It also makes setup a lot less convenient than a password manager would be. Every time I set up an account I need to set up two devices? And ideally they should be stored in different places, just having 2 Yubikeys in my pocket isn't really doing much for me, so now every signup is literally a 2-step process that involves going to 2 locations.

"Just" is doing a lot of work here.

You are describing the tradeoff made by passkeys, yes. The idea is that it shouldn't be possible for someone to phish your passkey, because lives on a piece of hardware and signs challenges, but is not transmitted to the requesting party (or to anyone).

Luckily, passkey "syncing" and "backup" means issuing a new key that's signed by an old key, so you can in fact have the convenience of paper-based backups if you want (that's how the QR codes work for syncing between passkey managers).

I trust you can appreciate how this improves security in general, by trading some convenience.

> The idea is that it shouldn't be possible for someone to phish your passkey, because lives on a piece of hardware and signs challenges, but is not transmitted to the requesting party (or to anyone).

Passkeys don't live only on the device. iOS syncs to the cloud. They're not unphishable. You can lose your iPhone, get a new iPhone and get all of your passkey logins without having access to the old iPhone. If someone tricks you into giving access to your iCloud account, they can get your passkeys. Heck, if someone tricks you into doing an airdrop, they can get a passkey from you.

The whole "these are locked to the device" ship has very much sailed at this point.

That's a conscious compromise to security because Apple has decided (I think correctly) that the security gain from blocking backup to the cloud is not actually high enough to justify how much less accessible passkeys would be without that feature.

So I don't buy that it's security that's blocking them from also allowing syncing to other places other than iCloud.

> You are describing the tradeoff made by passkeys, yes.

More to the point though, I wish people would lead with this and not start out by saying, "oh, they're just as portable and easy to back up as a normal password."

They're not, there's a tradeoff here. You can not just make an encrypted vault of all of your passkeys and stick that on a USB drive. And that's a tradeoff that was so severe that every major OS provider got together and extended the standard to allow cloud sync for keys.

Should they have done that? :shrug: But if someone is asking if they can do the same thing with passkeys that they do with their password manager, the answer is 'no'. You can not export all of your passkeys to an encrypted vault and stick it on a flash drive or sync it to another device using syncthing. Your options are a lot more limited, and the way it's advised to get around that is to authenticate multiple devices for each account.

In theory it's something that might be supported in the future? In practice, it's not supported by anyone right now.

So what I'm hearing through all these answers (many thanks for the info!) is that my original question of "am I screwed if I arrive to somebody's house naked/robbed/with a broken device", the answer is "yes. Thorougly. Unpleasantly. By design."

Am I missing something here?

To be fair -- if you go out and buy another device owned by the same company and you go through their recovery process (and are capable of going through that recovery reprocess) and you stay in their ecosystem like a good little consumer, then you'll be OK (although you won't have immediate access to those accounts until after you've purchased and set up the replacement device).

And if you've preemptively set up your friend's devices as trusted devices and given them access to your accounts or like... purchased a second device from the same company and linked it to your cloud account and then given it to your friend to hold -- in both of those situations you'll be fine (but do you want to do any of that?)

Otherwise, yes, you're out of luck by design. You'll have to go through the recovery options for every single account.

> They're not, there's a tradeoff here. You can not just make an encrypted vault of all of your passkeys and stick that on a USB drive. And that's a tradeoff that was so severe that every major OS provider got together and extended the standard to allow cloud sync for keys.

Why do the blessed vendors get to do that but not 3rd parties? Syncing your passkeys is just copying the DB to the cloud and then down to another device. If you made a copy of your icloud db, and icloud let you import passkeys (does it?) then you can absolutely make a copy of your icloud keychain and backup/restore it as needed. I don't really understand your point here (everything else checks out though).

> Why do the blessed vendors get to do that but not 3rd parties?

That's exactly what we're all asking :)

I feel like you're possibly arguing that the tech itself doesn't require platform lock-in, and I absolutely agree with that. This is a policy issue, not a tech issue (well, attestation, but that's a different conversation). But it's policy issue that's shared by all of the major companies involved in the FIDO alliance and they're very suspiciously against offering any policy solutions or requirements in the passkey specification itself.

There's no technical reason at all why Apple couldn't support syncing passkeys to a local backup that can be imported by other authenticators. From that perspective you're completely right.

They just don't.

Right. I just wanted to make that clear. That’s why I say there’s no fundamental difference between the two technologies and compare webauthn to passwords of yore.

In terms of policy, I am not sure all the players share the sentiment. Google stated they understand the importance of passkeys being cross platform. So at least, if their statement is to be trusted, they’re on the side of consumers.

I come down really hard on passkeys sometimes, but I'm not opposed to the idea of using keys for authentication. I think that's an amazing idea.

I'm mostly down on the passkey ecosystem and who's in charge of it. I guess I don't do a good job of clarifying that always.

There is a theoretical alternate world where the FIDO Alliance approached this differently where I would be 100% on board with passkeys and would be encouraging everyone to switch to them. I'm just really worried about the implementations I think we're going to actually end up with.

I like the passkey idea in the general sense, too. But what I don't like is the involvement of a third party, and the loss of control over my own critical data.

Wait

So I genuinely cannot backup my own pass keys?

Like, I cannot say "export to file" and put that on a thumb drive and put that in a safe? Make what copies I want?

What kind of dystopian twilight zone where literally "all your base are belong to Apple" (or google or Ms, pick your poison of "choice") we seem to be sliding into?

> Like, I cannot say "export to file" and put that on a thumb drive and put that in a safe? Make what copies I want?

You can not export to file or store a passkey on a thumb drive.

There have been a couple of claims from various sources that this is coming sometime(tm), but no official word from any of the larger players. I will believe it when I see it.

In addition, if someone does build an Open Source authenticator app that allows you to export and import your keys, there's a capability called hardware attestation that allows login providers to ban authenticators, so there's no guarantee your Open Source authenticator will actually work with every site you want to make an account on.

Think of that like going to log into your bank and being told you can't log in because you're storing your password in Bitwarden instead of the Apple password manager. The current way the spec deals with this risk is by asking very politely for companies to not do that unless they have a really good reason.

> because lives on a piece of hardware

But it doesn't, unless you opt to use something like a Yubikey, right? I mean, you can sync passkeys through the cloud...

I think there's a difference between being able to backup a file (like I can with keepass password database) to any device,format or location I choose, vs backup my iPhone to Icloud,because for all intents and purposes that's just secondary memory/storage for my one device.

My wife recognizes the scream from the home office when I try to move ANYTHING from my iPhone to anything else in the world. I have no doubt that backing up the pass keys from iPhone / ICloud to a thumb drive or my windows pc would lead to even more primeval shrieks.

So I feel those pass keys are pretty stuck to that device in practical ways that matter. Let me know if I'm wrong!

Would be nice if there were something like pass-otp for passkeys :)

I'm aware of that, yes, but that doesn't really address my question (or use case).

> If you use a password manager today, then you're already essentially using something you have, because you need to be in possession of your login database to retrieve passwords, and nobody can remember that in their head.

Which is precisely why I would never use an offline only password manager. In the case outlined above, I would need to connect to my online password manager, using the master password I have in my head; which then would allow me to connect to all my services.

How would that work with passkeys ? So far the only way I could see this working is if every single device on earth comes with a fingerprint/face scanner. Because my face and my fingers will always be there for me (hopefully). Otherwise we are back to secrets (aka: passwords).

So can I set up a self-hosted solution?

I don't want to trust a 3rd party to be able to restore access to accounts after losing my phone. I've lost several Google and Yandex accounts that way. Despite knowing the passwords, they refused to let me log in again after loosing my phone.

"And... am I the only person completely dreading this system? Passkeys sound... like a nightmare?"

It's already a bad dream for me. I can't stand all the 6-digit code I have to fetch to do things like: check email, schedule appointments, pay bills, just plain buy stuff. I'm glad we're long past the days of emailing users forgotten passwords in plaintext, but I'd prefer to accept less security for the convenience of being able to log into an account without proving my identity via phone.

> Are Passkeys, at some level of abstraction, permanently replacing "something you know" (password) with "something you have"?

Sometimes. The authenticator you choose to use sets the policy of what makes a valid authentication. So if your authenticator is "Google Password Manager", it is whatever steps you need to get into your Google account and enable the password manager.

If you do not have the infrastructure to get into that account (say, you have a SMS fallback and your phone is dead), you'll be locked out.

If your authenticator is say a hardware security key, then most likely losing that key means you have no backups.

Even in this case, you can have more than one mechanism to recover access or to prove who you are (even if it is a second hardware key at home in the safe).

Yes, it replaces something you know with something you have and something you are. The hypothetical scenario you describe is a downside.

As to your other concerns. Registering a passkey from each of your devices should be a trivial exercise. If you want to play with this now, GitHub has good integration (you can keep your password, the passkeys you register are just alternative ways to access).

For your family, your concerns are not warranted because the “cloud backup” is part of the integration. With Apple, as an example, the passkeys are tied to your keychain, and changing devices/disaster recovery is relatively trivial. The passkeys are also accessible from all your Apple devices, so you don’t have to create separate ones.

This is my worry, but you now you just have to make sure you can access your keychain.

Test your keychain access today, “lose your devices” and see if you can still get all your keys through other methods. This is especially important with 2FA.

It is true that you cannot probably access your password without a new “owned” device though, gone are the days where you can hop onto a fresh device and type in your password of your email provider.