I always thought of passkeys as hardware tokens that shouldn't be backed up. It needs to be easy to have extra one that lives in a secure place. But like most people don't use secure passwords, they also won't worry about back up key.
I am not sure that passkeys are any more secure than random password stored in password manager. I'm suspicious about password managers used to store passkeys. I guess they are better since have to unlock the password manager.
I have had idea for place that can verify identity. Walk into store, they take biometrics to verify identity, and then give you card. That can be used to unlock accounts if locked out. It does have risk of employees being bribed. But banks don't seem to have that problem. Making sure it is done in person should help.
Not being able to backed up, to storage of the user's control, is the issue.
I don't want a Google or Apple backed phone to be the only hardware token secure enough to protect my key.
I want these devices to, RIGHT NOW support copying their keys to another device that neither party can control. I want an open standard that people can implement in a less-than $50 secure hardware device that I can duplicate these keys into. I think the UX of a "Key Safe" that is offline, physically securely stored, and can manually + securely have keys copied into, or copied off without Apple or Google's intervention would solve a lot of concern about the very real lock-in that's in play right now.
I am not sure that passkeys are any more secure than random password stored in password manager. I'm suspicious about password managers used to store passkeys. I guess they are better since have to unlock the password manager.
I have had idea for place that can verify identity. Walk into store, they take biometrics to verify identity, and then give you card. That can be used to unlock accounts if locked out. It does have risk of employees being bribed. But banks don't seem to have that problem. Making sure it is done in person should help.