Password managers sync passkeys just fine. If you use one of those, the benefit of passkeys is that some sites skip their SMS 2fa if you use a passkey. The downside is that you can only use them from your own devices, where you have the app/extension.
I don't think skipping 2FA is a benefit. Sure, replace SMS with passkeys or TOTP or literally anything else, but don't actually take away my second factor, please!
Having to pointlessly copy aroudn TOTPs from the same device is just security theater. There's no meaningful security difference for 2FA whether you actually need to copy around those tokens or if you click "authenticate with the key in app on my second factor device".
It's still 2 factors. Just with less hassle (and resulting in more security due to better UX).
Placing a bunch of factors into 1 system is a giant SPoF like storing TOTPs with corresponding passwords within the same password manager. It defeats the whole purpose of 2+FA.
And yet people still need to share authentications between different devices (or people) and back them up for recovery purposes. If you're expecting only what you're saying, you'll find yourself simultaneously disappointed at how low the uptake is in the real world and how many major implementations (e.g. Apple) have a vastly different security model.
No, their point is that they are absurdly long and not phishable. Point b is not practical for mass uptake, as hardware devices get broken/lost/stolen all thr time. And no, only nerds will have multiple ones.
Ya really what you want is your passwords saved in an encrypted vault that you can copy from device to device for backup. If passkeys are really one per device and you have have 100 passkeys from 100 different services, and moving to a new device requires accessing each of those 100 services to create a new passkey for the new device, that sounds terrible
> If passkeys are really one per device and you have have 100 passkeys from 100 different services, and moving to a new device requires accessing each of those 100 services ....
I'm typing this on my Firefox remote app. Everything is cached in it. It runs in a VM at home.
I've been super happy with it. My logins are always with me but they never leave the house.
> It actually sounds like the best way to use passkeys and still have control over them.
I belatedly recall that I tried to setup a Google passkey in a VM and was rebuffed. Google depends on Windows Hello for passkey presentation prompts - and Hello is disabled in an RDP session (ostensibly because facial rec won't be needed).
I poked at the problem for a while and couldn't find a workaround.
It's simple and convenient, it may or may not be secure, it is not safe, it's fragile. I understand avoiding unnecessary single points of failure is not for everyone.
> The WebAuthn _also_ allows device-bound keys, but they are not "passkeys".
True. WebAuth is good fit for a login that's tied to a user - and that user only logs into it from their workstation and maybe a laptop. There are better options when more flexibility is needed.
Happily, there are enough secure options that my phones will always be authenticator-free.
> The whole _point_ of Passkeys is that they are representable as clear-text data, and so they can be synced.
That seems to be counter to everything else I've heard about it so far. If that was the case, exporting would be easy, yet many password managers have had open feature requests for some time (1y+?).
I don't know what the truth is, but if you're right, there's definitely a lot of misinformation about it. Far more than correct info IME.
Migration protocols require the keys to be representable (at some point) as clear text.
And password managers like BitWarden only allow encrypted export, but the encryption key is specified by the user. So you can trivially decrypt the exported data if you want.
I don't have a dog in this race. Just showing where the other understandings come from. Your logic might lead one to conclude that migration would not then generally be available.
