The fact that the problem is solvable by technically savvy people doesn’t stop it from being a problem for the general user.

To add an insanely unsatisfactory solution as well.

Even passwords are better. Seriously.

Many passkey-supporting sites only support a single passkey per account.

This feels like the biggest misstep that may impede the success of passkeys to me. It's not that surprising, though, since it's pretty rare to find genuine support for multiple authentication factors of the same type already. You can usually only register one number for SMS, and/or one TOTP authenticator, etc. It seems like a lot of sites never really understood (or cared about) the benefits of MFA to the user and so can't be bothered to really understand passkeys either.

I keep hearing this but then the only example I'm given is PayPal and that AWS used to be this way. What big sites do you experience only allow a single passkey?

Yes, this definitely needs to be fixed!

Besides passkeys, some websites have alternative backup authentication, though, such as backup codes. However you do it, there should be an independent way to log in.

I use a passkey on every site that supports it (say two dozen at this point). I have never encountered this.

Which is a serious flaw in the standard.

Which?

Paypal is one I've encountered.

Paypal, as far as I can tell, doesn't even (intentionally) support passkeys. They refer to all WebAuthN credentials as "security keys" and remind me to "plug it in and touch it now" etc.

I'm honestly already glad that they didn't make their annoying browser fingerprinting rigorous enough to also block authentications and aren't requiring attestation.

Even google account's MFA allows back up codes, at least in the Enterprise accounts.

I get that this this is a way to do it in practical terms, but isn't that just like having to have two passwords for each site (outside the fact that passkeys are a bit more secure than passwords)? I thought one of the main points of passkeys was to reduce admin.

If you can do that, you also have enough tech savyness to use passwords securely.

The security of passwords doesn't just depend on users though.

https://haveibeenpwned.com/PwnedWebsites

2FA does not protect against a website getting hacked.

Are we taling savvy users or regular users?

Regular users would not set up double passkeys, and would suffer vendor lock. They would be better off with password manager instead.

Savvy users know how to follow password hygiene, and have no need to have it enforced on them. So they don't need passkeys either, they would be better of with good password manager.

Exactly what I am saying. Users don't need passkeys. Auditors and other guys from the checkbox compliance department on the opposite side do, for "security posture".

That doesn't solve anything. You just have twice as many problems now.

What are you talking about? Redundancy is how you avoid getting locked out. Each passkey serves as a backup for the other one.

More generally, you should have two keys for any lock, so you can still get in if you lose one of them.

Setting up both Apple and Google passkeys solves:

* Lost access to your Google account, but still have access to your Apple account (or vice-versa)

* Apple device doesn't support Google passkeys, or vice-versa

But it multiplies the following downsides:

* Apple/Google account gets hacked, hacker gets all your 2FA credentials

* Snooping on your activity. Particularly Google, but Apple also have an advertising business.

* Setting up accounts on new sites is twice the hassle.

* Too complicated for the kind of folks who need the phishing protection passkeys provide.

> I solve this by creating two passkeys for each account, for iOS and Chrome. This covers all the devices I might use to log in and there’s no single point of failure.

This just seems to mean that, instead of being the whim of one corporation from being locked out of all your accounts, you're the whim of two corporations away. That's better, but I'd hardly call it solved.

“Google says no” is a threat model I’m concerned about, but it doesn’t seem particularly likely, so I’ll pick another passkey manager if it happens.

(If it ever happened, Gmail and Google Photos would be a bigger loss.)

Does that mean you're locked into iOS and Chrome?

congrats. your problem is solved in the two or three places that actually allows or even implements any logic from N passkeys. on most places that will just give you a new account or wipe the first key.

Really? Which place allows passkey login and only allows one key per account?