As long as you can sign-in to Google account, you can recover the passkey. developers.google.com/identity/fido/#what_happens_if_a_user_loses_their_device

I think there has to be more than one authentication method/device for each layer. Like let's say you have a Yubikey with a fingerprint reader, you should also have a password generated by a password manager and 2FA with an authenticator app i.e. This way no matter what happens you can still access whatever it is you're protecting in different ways

@@agektmr What if you can't get into your google account?

@@unicodefox You call the LockPickingLawyer to unlock it, cause no device is ever truly safe 😉 But to be honest, at the extremely ill scenario (nothing else to be done), they might want from you your actual personal data, that you have kindely provided in the first place to actually show them you are the genuine person, idk. or... You step into a Google box (kinda like a self secured atm machine, locking you inside for the duration of the process) that vertifies you and prints out one piece of paper where a unique link and code is provided that you have to enter in 3-5 minutes to get back your account. 🙃😉

True, there is also the backwards compatibility and how much it will cost to keep things safe. If you have an external site that manages and keeps your data, that doesn't cost you anything. If you have the user to manage and keep his/her's own data it doesn't cost you anything. But when you go into the teritory of you being the one who has control over someone elses very personal data, then that can become costly, both for you (keeping data safe and secure) and them (keeping up with technology to keep up having their end safe and secure), not to mention trust. For example, a common thing in say banking. On one side you have the security of the bank, on the other you have the security of the user. Internally banks will always be able to keep up with their end being secure (likewise Google), but they can not ensure the user to be secure. So they make it more convenient for the user to access their data by providing, lets say apps methods. In time the devices that run those apps become obsolete and the user is forced to change their device (additional secret cost). Now while banks are desipte all facts more local environment with local crowds, big tech companies are not. So who will take over the cost to enable everyone (normal people) to keep up and use this, as @MihkalJouste said, optional enchancement?

Every website could give an option to use password or passkeys. If you don't want to use it.

You are much more likely to be tricked into giving away your password. Phishing attacks are very prevalent and can look quite convincing. All it takes is not noticing a small typo in the address bar and you're screwed. This method at least prevents it.

@@Andrew-jh2bn true

It's bad. I trust apple keychain, but I use a macbook. I somewhat trust google, but pw autofill is not there outside of browser

@@li_tsz_fung you can copy your passwords from your google account web page. Yeah, not quickest way.

The primary purpose is to decrease phishing attacks. Account recovery is improved under some of these methods and worse under others. But all of the techniques you are familiar with for account recovery (multiple devices, third-party services, email, call on the phone) may still be used.

Decrease phishing attacks... while giving an intensely political corporate monopoly the ability to unplug your bank account, financial records, tax information, social media, and contact information.

@@jonmichaelgalindo There are several solutions here and I'm not sure which one concerns you, but none of them are proprietary. If you don't like one provider, choose another. The FIDO/WebAuthn is hardware that you own, and some of the hardware options lack any internet connectivity by which somebody _could_ manipulate it. You and Luft are right to not trust a single provider for everything, and fortunately that is not the case here.

@@logankennelly No system can solve the authentication problem at all. A human's mind is where you have to store the cryptographic key (secret, AKA password). I was referring specifically to Google's passkey (centralized identity does not solve authentication and is a nightmare trust scenario), but there are zero solutions here. Physical keys can be manipulated by force, just like police use FaceId to get into phones without a warrant, but the real problem is any device relied on for key storage will be lost / damaged, inevitably. It has to be the brain.

@@jonmichaelgalindo It really depends on your threat model. The vast majority of identity compromises are due to credential sharing, phishing, and credential re-use. The solutions here address that 99% problem. If you are trying to protect yourself against a nation state actor, first of all, good luck. Second, learn how to disable biometric authentication quickly (it's easy on Android and iOS). Also, use 2FA to augment hardened login (which may include a password ... not quite sure how that's going to shake out yet). Brains are notoriously bad at remembering thousands of distinct, shifting, and complex items. It's also the reason password recovery mechanisms are often the weakest link. A standard by which your "password" manager is literally incapable of providing incorrect credentials (which is really what this is) seems like an obvious improvement. It's not about a single, final solution, but improving upon the layers that exist today. Your scenario where you haven't taken steps to protect your phone and it's compromised and you haven't enabled 2FA and your phone's app/browser doesn't auto-login is vanishly rare ... and you should probably just take steps to protect yourself You are correct that lost devices are a problem, but email-based (and phone for some services) account recovery is now essentially universal. Passkeys attempt to plug that hole by treating account recovery as more locked down than email, but essentially everyone is incentived to support _some_ method of account recovery.

What kind of developer issues do you see?

No it's horrible

Google should make a real password manager

Use their website and access your passwords on different browsers

Oh, I know! A lock that only we have the key to. We'll lend you the key whenever you need it, as long as you keep using our services and your public actions align with our political agenda. Problem solved. :-)

The website would not get your actual fingerprint. The device would generate a cryptographic key associated with the specific combination of that user and that website, which allows the website to trust that the fingerprint was scanned successfully without ever gaining access to the fingerprint data.

@@aidanbrumsickle Won't that just mean getting a user's fingerprint ones will compromise them? regardless of what the website sees you can get a person's fingerprint pretty early compere to knowing what password they may use

@@thexg0d833 for it to work you would need the fingerprint AND the registered device. You can't use the fingerprint on other devices. And yes, that's probably possible: if you steal someone's phone it's probably already full of their fingerprints. But it's still better than any password you could remember if you're mainly concerned about Indian scammers and not the local expert hacker living nearby that for some reason hates you personally.

No. The fingerprint data never leaves the device.

Spot on! Instead on working on a technical improvements to passwords and auth processes, let's just change the human psyche, how hard can it be????