The problem with passkey is that it's obscure for the common folk.
I'm a developer, yet for some odd reason I'm having a hard time understanding passkeys. Are they synced between devices? Do I need to set up a passkey per device? What happens if I have a single passkey on my phone and it gets lost? Do I lose access to that service?
So many questions that need a clear and concise answer.
One issue I found recently was changing my GPU clearly changed the definition of my "device" in Windows and invalidated all my passkeys. But the passkeys are still there, the sites I access still try to request them, but Windows can't provide them, so it basically just errors out. Not found out how to clear this all out yet.
30+ years of software dev, but I rarely had to worry about security. I've grown up with passwords (from 1980s BBS logins on up), but just like you, I still don't fully "grok" passkeys, in the sense of how I understand passwords, their threat model, how they can be cracked, etc.
I think I understand it's a bit like a "my public SSH key + website's public SSH key merged together", so that each website can verify the passkey we created together using their private key. The basic mechanism is more or less straightforward.
What I do not understand well is the "how to store and manage 100s of passkeys", and how to migrate my family (including my parents in their 80s, who are far away and I am the main tech guy when the closer "basic tech literate" family members who live closer can't figure things out) to them. We use Linux and Windows boxes at home, and Android phones (for now).
I can easily log into any accounts from any of these, even from my work laptop if needed, some requiring SMS 2FA (let's leave that for another discussion). If I created a passkey on a linux desktop and stored it in a yubikey, can I re-use it on someone else's windows laptop? Would I need the bluetooth version of the Yubi to sync with my phone? Or would I have to create a unique passkey from each device to each website, using my existing password?
Basically: I don't have "one phone" and "one computer", both running the same OS. What are some usage models, including some that don't require yubikeys, because no way could I get my parents in their 80s to understand those.
This is sounding more and more complicated. I don't want a Yubikey. How does a password manager help my cloud account? What does enrolling multiple credentials even mean?
> How does a password manager help my cloud account?
It's an alternative place to store webauthn credentials, if you're worried about being locked out.
> What does enrolling multiple credentials even mean?
You register multiple passskeys for your account on a service. So if you lose access to one (because you yoinked your phone into orbit), you can use the other one.
Anything that depends on a cloud service where your account can be destroyed any time without any recourse because support is managed by bots is a no go.
Personally, I'm comfortable with cloud services, but only if I have some sort of backup strategy.
I store all my passwords in Bitwarden. One reason I use Bitwarden (as opposed to e.g. Keypass) is because it has cloud syncing. All of my passwords are synced between all of my devices.
Critically, however, if Bitwarden's server was to disappear tomorrow, it wouldn't destroy my life. My passwords would still be stored locally, so I could open Bitwarden and export them, then import them into another service.
Passkey by design have no solution this! That means I can't trust them! I need to be able to export all of my credentials to some type of local file, which can be transferred to a new machine or service without the cloud, as a failsafe. I don't care if this is less secure, because my Bitwarden setup is already very secure, and I am much more scared of being locked out of my own accounts than of someone else getting in.
> Most implementations sync passkeys to the respective clouds.
So, in the end, the old Microsoft mantra: "Your security is very important for us".
Besides Microsoft, NSA, CIA, the five eyes and friends, no one has access to your passkey, this means is secure.
It depends on who is running your keys for you. Most of the vendors (Apple, Google, Microsoft) are using device-specific (hardware) keys to unlock the passkeys, which generally means that transitively you've first logged in with Face ID, Touch ID, Android Gesture, Windows Hello, PIN or one of the other names or brand names for "device-specific pass code or biometric" that unlocks your device's hardware security enclave.
In your analogy terms it is akin to an SSH key stored on a hardware device like a Yubikey that you have to "push the button" to unlock. It is more secure than just an SSH key without a password, but depending on a lot of factors, including your personal threat model, may be more or less secure than an SSH key with a strong password. (You'd assume the Yubikey's unexportable hardware key is a lot stronger to break than any password, so it is potentially far more secure from brute force attacks, especially remote attacks with no physical access to try to export an unexportable key. It's reliant on physical device security so it is far more weak to "in the room"/"over the shoulder" attacks. At the end of the day most people's threat model is somewhere in the middle of the two extremes.)
Of course if you decide to use a password manager like 1Password or BitWarden those passkeys are going to be locked behind your "master vault password" in a similar way to your other passwords.
I'm a developer, yet for some odd reason I'm having a hard time understanding passkeys. Are they synced between devices? Do I need to set up a passkey per device? What happens if I have a single passkey on my phone and it gets lost? Do I lose access to that service?
So many questions that need a clear and concise answer.