I'm very bearish on Passkeys as a concept. As a technologist and security advocate, I'm glad that it helps to defeat phishing attacks, and the problem of reusing passwords/credential stuffing. But the UX is just not there yet. I jumped on the hype train and set up Passkeys for my Google account using 1Password, from Chrome on my iPhone. At some point, the enrolment procedure "failed", that is to say, my passkey was set up, but I didn't know it, so I repeated the procedure. This meant I had two "identical" passkeys for Google in my 1password, and two passkeys to which to sign into Google.<p>Neither Google nor 1password had any way to distinguish which key was which. There's no export functionality (yes, I understand this is by design). There's no (user facing) key IDs. So, my choices were: accept that I have two passkeys, and never know which is which; risk deleting one or the other, or abandon the whole notion and go back to hardware 2FA.<p>This doesn't even get into the mess of:
* browser based passkeys: what if I switch computers or phones? Now I have the "yubikey problem (have 3 so you can safely lose 1)" for every single device I own.
* hardware security tokens (Yubikey): in the case of Google, they aren't accepted as a "sign-in" passkey, only a "verification" passkey. However, a browser passkey is accepted. Do I need hardware 2FA? Do I need a password? I have no idea.<p>Let's be clear. There are absolutely solutions to all of the above. I am certain I made bad assumptions or mistakes here. But I also have been using computers with a bent towards security for my entire life. If I can't get this right, how is the average user being pushed to go "passwordless" on eBay going to deal with this mess in 3 years?<p>If you're a company considering implementing this, I'd be taking a very hard look at the ongoing support costs dealing with confused and panicked users locked out of their accounts.
What happens if I have an account on website or soo A and it was created using passkey which was by Apple and Apple closed/disables my account for some reason?<p>For an end user - beyond the technical bells and whistles — it’s kind of same as Signin with Apple ID, isn’t it? Or Signin will Google. Right?<p>Besides this is going to create huge lock-ins and dependencies I am afraid. And that part of it looks bleak — all the mega corps are pushing and none of them are known for “openness”. They want to get as many as of us in their yards and then things will start to get less open very soon.<p>I mean if I have a passkey on Apple and I am with a device that’s not Apple I am not really sure how that’ll work and I may not be able to access my account, or do it easily.