Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec
@jik I do not know the whole ecosystem so I might be missing something but using Bitwarden (Vaultwarden) and Apples Keychain passkeys are synced across devices and I can provision new devices that have access to them.
As long as we talk about “regular users” or traditional threat models that don’t involve three letter agencies or whole governments I see this as a small improvement over TOTPs as a second factor.
Not sure how I feel about them as only login mechanism.
@fallenhitokiri I've addressed the syncing elsewhere in the thread.
I actually think passkeys are a _huge_ improvement for regular users in the northern base when everything is going fine. My concerns are about usability when things go badly wrong and users don't do what they're "supposed to," both of which happen far more in the real world than tech vendors like to acknowledge or plan for.