Ironically I've seen technical users far more confused by passkeys than 70 year olds on eBay. 70 years olds on eBay don't ask how the "Use Apple Face ID to Login to eBay" works and how secure it is, they just just generally trust Apple and eBay and just do it and it generally just works. It's the technical users that want to know all the details of passkeys down to minutia and have too many devices with syncing problems because at least one machine is a Linux machine with no hardware security enclave but "that's fine" because it is locked down to no real "cloud" access but still needs to login to eBay in an ancient Firefox fork that doesn't support passkeys once every couple of days for some hacky shell script bidder they've been running since they downloaded it off mIRC in the 90s…
Except if you switch phone numbers and get a new phone. My iCloud email address is permanently fucked because I set up an iCloud account years ago with a different phone number. Since I no longer have the number or another Apple device synced to that iCloud account, I'm permanently locked out forever.
Discussing 70+ year olds here, a decent portion of which will not have a smart phone due to age related visual impairment or motor control issues. Turns out that age related technical difficulties are not so much generational or digital-native nonsense, but physical. As the people pushing smartphone-for-everything will discover when they hit 50 and need reading glasses.
But don't you also get into that account via your passkey? How do you know that the passkey you are using to get into the Google/Apple account isn't the same one that will be lost if you lose your phone? I've actually implemented passkeys on my website and I still don't use passkeys for e.g my own Google account because I don't trust it.
I actually recently unexpectedly broke my phone. Getting back into my Google account protected by passkeys was pretty simple though, I just logged in to my new phone with a passkey stored on another device. Which is fine, because I've got several different devices with passkeys on them.
Same thing with logging into my mail provider which I use passkeys for.
A few accounts I did have to go find a backup passphrase for, but none of those accounts are the kind of accounts I'd normally be trying to get into while on vacation or something.
I don't travel very far or very long without a couple of different authenticators. If its farther than a bus fare and I'll be gone for a while, I'll probably have at least two, maybe three authenticators on me. For example, my phone, my laptop, and a yubikey. Its only a few dollars for the public transit around me, so if my car explodes on the other side of town with my bag containing my keys and my laptop in it and I had to jump out into the river to avoid the explosion and debris and it broke my phone I'll still be fine to get home with a few dollar bills in my pocket. Or hopefully those other physical security tokens commonly called credit cards will also still work. And there I'll probably have my desktop at home and another yubikey. But honestly that kind of thing doesn't happen to me too often so I'm not too worried.
All you said is that it worked for you, you even emphasize that your usecase was different because you have several devices. This doesn't relate to my question.
> your usecase was different because you have several devices
So we just normalize having multiple devices, and suddenly my use case is the same as everyone else's.
Its not like I'm talking about everyone having a dozen $1,000 devices. Several of my authenticators were like $20-30 and have lasted over a decade even getting thrown in the washing machine and getting left in the rain and dropped in the pool. One was on my keys when I was daily driving a motorcycle in a rainy season and still works a decade later.
People don't find it weird to have two car keys and those things often cost hundreds of dollars these days to be replaced.
People aren't going to buy little usb sticks, some phones don't even have usb ports and the NFC or bluetooth connection never works properly. Also generally even having multiple devices isn't going to save you when you really need saving. Like in a house fire or while on vacation and your phone breaks, who really keeps a second phone around constantly with all the passkeys on it, like e.g in your hotel room? Then what if someone breaks in and steals your backup phone, now you have to invalidate all those passkeys somehow right?
I also don't know whether there is even any recovery process planned or possible, I guess not? So why on earth would I pick a new system like passkeys where I can't just have Google email me a new password vs. a system where that is impossible? Effectively my email account is like a second device in the password system which is far easier to carry around than a physical device. Sure a second, different email account could get itself password guessed but the chances of that are so small, it's pointless to think about and even if it does get hacked, even then it probably wont matter because it will only get used during recovery processes for a few seconds.
It also still doesn't answer the question around how I would know whether the passkey I created on a different device will work. One time a login process on Windows told me to use a QR scanner via my phone and then I got logged in. Okay so did that create a new passkey now and where? Both devices were involved in the login process, it was unclear to me. Maybe it was also the registration process, they are so similar now that I can't remember.
I guess maybe half the problem is that the proposition seems so strange: We are being told that all of a sudden having multiple "passwords" for the same account is actually great, it's secure. In fact: Just have a new password for the same account on every device, you can just keep creating new passkeys and it's no problem at all?! Oh and btw, if you lose any one of those your entire account is utterly compromised and good luck figuring out which of those passkeys you have to invalidate now. Somehow this is okay and secure.
Tons of people walk around with lots of little hardware security modules every day. They've got a wallet full of chipped credit cards, they've got car keys with transponders, etc. What's one other piece of plastic on the keyring? What's one more card in the wallet?
> some phones don't even have usb ports
Practically no smartphone sold today has no USB ports. And besides, we're talking about activating a new phone, so chances are that new phone is going to have a working USB port.
If they don't even own a smartphone and don't want to own one, well, then sure I'd agree they maybe shouldn't use passkeys. But if they're not using a smartphone they're probably not too worried about logging into their iCloud account or Google account or whatever on their dumbphone. So I don't see the issue of their dumbphone not being able to log into the services which aren't supported on the device anyways.
I'm not necessarily arguing they're for everyone, but they do apply to most people in most developed countries. They should be an optional way to access your account.
> on vacation and your phone breaks, who really keeps a second phone around constantly
It's not a second phone, its either the yubikey on my keys probably still in a bag/safe in the room if I flew somewhere or it's in my pocket.
> someone breaks in and steals your backup phone
Yeah, I'd probably want to go about disabling it eventually. But generally, I'm not too worried in the immediate time. You need to unlock the device to get access to the passkeys. If you fail too many times, you're not getting access to the passkeys, ever.
> Effectively my email account is like a second device in the password system
So effectively all your accounts are protected by a single password that's available to have people attempt your password anywhere, anytime, pretty much however fast they want to.
> Sure a second, different email account could get itself password guessed but the chances of that are so small
As someone who's managed email for a lot of people, it's really not that small of a chance if it's just a password to an email account.
The only thing I'd potentially be really worried about is a house fire, but pretty much every important account of mine has backup passphrases in the fire-resistant safe. I do live just down the street from the fire station though, so the odds of a fire burning up all my stuff including everything in the fire resistant safe seems pretty low. Probably lower than your everything in your life email protected by just a password getting hacked.
I mean in the interim. How do they get into their email to find their support contract to get another phone if they can't get into email without their phone?
What if you're traveling and there is no Apple Store nearby? And now you can't log into your email to get your travel itinerary or your transportation receipt?
The greater point is not the specific edge cases, it's that they haven't been worked through. Even a sophisticated user like myself doesn't want to use passkeys exclusively yet because of this very reason. I'm not confident that I won't get completely locked out when it's absolutely critical that I get in.
As he’s 70 he’s using an old desktop PC and doesn’t have a smartphone. He uses the on device pass key system. One day, months down the line, Bluetooth gets switched off for whatever reason. What then.
