you can use a password manager to store your private-passkeys, so as long as you have access to it, you don't need to worry about lost devices

how do you want to detect if the user has a password manager? Checking if the DOM is changed by the password manager's autofill?

I believe the client side exposes a global ID as part of the WebAuthn flow, which would let me only accept IDs from 1Password, Bitwarden, etc. But I haven't verified that.

clearly biased: https://corbado.com

Great step into full cross-platform passkey sync capability - now only iOS of the major operating systems is left. This will be only a matter of time IMO.

Hey,

I am Vincent from Corbado. We’are building a dev tool that lets you easily integrate passkey auth into your applications. Since secure & user-friendly authentication is very important to us, we have had hundreds of talks with devs and PMs on how we can help them integrate passkeys and thus make the Internet a safer place by sharing our passkey learnings. Many said they are not sure if their users’ devices are passkey-ready.

Therefore, we built State of Passkeys, a free tool, where we provide passkey-readiness data that we collected over the past years to help other developers and product managers roll out passkeys with confidence.

To determine the passkey-readiness of their users’ devices, State of Passkeys serves the largest existing, publicly available data collection on passkey-readiness. You can get analytics on passkey-readiness depending on operating system, device, browser and passkey-readiness features (WebAuthn, platform auth, Conditional UI, passkey sync).

The data is collected (anonymously and GDPR-compliant) via an analytics script by using the browser Web Authentication API.

We're really happy we get to show this to you all, thank you for reading about it! Please let us know your thoughts and questions in the comments.

Check it out here: https://state-of-passkeys.io

There's a new trend coming up of "Smart Wallets" which make use of synced passkeys for authentication.

I can share a blog post about this topic that I recently wrote if you're interested in some details (e.g. Coinbase did it this way).

1) They link the public key to your user account in their database.

2) Passkeys are 2FA by default. Someone needs to steal your phone where the private key is stored (first factor) and they would need your Face ID / Touch ID / PIN Code (second factor). Just loosing your phone doesn't give someone else the chance to use your passkey for authentication.

Yes, that might be a strategic thinking of big tech. Still you can use third-party password managers like Bitwarden, KeePassXC or 1Password to take care of your passkeys. I think, for most non-technical users, they will go for the Apple/Google/Microsoft credential manager option but if you're more tech-savyy, there are ways to stay independent of big tech.

Agree. If I show my parents or great-parents TOTP, they're usually lost and hate it. Recently, I've seen a study that anyway +90% of users choose SMS OTP over TOTP.

Why would it be bizarre to have passkeys?