At that point it’s not an issue with the technology, that’s a user problem.

Unless I'm missing something, just having access to your phone doesn't matter if the method on your phone to authenticate (activate) your passkey is biometric (i.e. face ID) and not a PIN. But if they have your phone login PIN and that same PIN is used to activate your passkeys then yeah, you're in trouble.

Same thing if someone got your password so it's not so different. In most cases you would be using biometric so passkey are still more secure.

​@JJ_in_Raleigh this is why I am not happy with Google keeping and synching my passkeys and the main pin (and I don't trust PINs, I use a proper long password). I prefer third party passkey services, services like proton pass. I think the yubikey manager also might have something. We should really have a list of alternatives and their pros and cons.

Given that some services still have a six character minimum for their passwords(!), I expect it will take a very long time.

Auth apps like 1password use syncable passkeys, Leo in this video is talking about 'on device' passkeys. I think we're transitioning to the syncable type because they are more convenient and cross-platform. Microsoft will support Syncable passkeys in the future, they don't currently.

You're right. Passwords eventually have to go away for passkeys to be fully effective.

Exactly, the bootstrap process is as you describe. HOWEVER the missing point: you need to configured a DIFFERENT recovery email or phone number for the account for just this kind of situation.

Passkeys only sync between devices if you're using a password manager that does that. They're not transferable between providers.

@@askleonotenboom " going to ... and also be"

You would set up the passkey like any other first time use of a device: signing in some other way first.

"people can't even agree on an implementation"? There's multiple ways to implement passkeys, and that is by design. Some implementations are more convenient, and some are more secure. A federal government agency website/app might require device-bound passkeys only, while a video game website/app might allow synced passkeys and device-bound passkeys. "Users are left to figure out if they passkey is device-bound or syncable." They'll learn, like they learned about how some of their passwords are synced (e.g. Google Password Manager), and some of their passwords are not synced (e.g. local offline accounts on desktop PCs and laptops). "When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't)" This is why you remotely deactivate your phone when your phone is lost. Android and iOS devices can be remotely deactivated from another device. "Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits" One benefit is that you can still log in if you lose a device or lose access to a password manager. Another benefit is that you don't have to remember your passkeys or write them down. "And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager." Your passkeys can be locked away in a password manager, too. Android 14 and iOS 17 and macOS 14 support third-party password managers (Strongbox, KeePassDX, Bitwarden, 1Password, Proton Pass, etc.). Windows is gonna have that same support, too, according to the "device support" page on the "passkeysdev" website.

@@marco31 This is a good solution, but if you also use a passkey for your email and only on the lost phone I'd think you would lose access forever. I of course would make certain to have a backup solution, but it's possible some people are going to set their accounts just like I described, if that is even possible.

I don't think you watched the (entire) video. There's ALWAYS a way back in. Consider: how did you set up the passkey in the first place? You had to authenticate some other way first.

@@askleonotenboom I did watch the whole video so there's no need to bash me, I posted my concern for the benefit and engaging of YOUR channel and audience and I don't think you understood me and I'll prove it. I once remember a Microsoft message offering to remove my password and setup a passkey. No password and passkey on lost phone (with no other backup) = no recovery (If this scenario is possible). Unless the system accepts the old "removed" password or forces you to have an alternative authentication method. Do you understand now?

@@Teisjuit took me two seconds to google: Microsoft account recovery.

@@Teisju And as I said in the video, there's ALWAYS another way to get in. With no password and a lost phone, you'll simply authenticate on a new device some other way, like a message sent to your alternate email address, your recovery phone number, a backup code you set up before hand, or something else. Like I (and the video) said, it's the exact same process you used to set up the passkey on the phone initially

I’d not heard of them until all of a sudden on the PC, after needing to log back in to certain sites, such as Coinbase and Microsoft I started seeing an option for using a passkey. So I started looking into them.

Passkeys are a precursor to going completely passwordless. So not only do you not use a password, there isn't even one associated with your account. This is the state of my Microsoft account right now, for example.

@@askleonotenboom Thanks for your reply. From videos I have seen it always seems that you have to have another way to access your account or at the very least you need a password to create the account. As you say, it is early days so we will see what happens.

@@Steve-PT It could be done without a password from the start, if providers wanted to. Initial Authorization could be via email or text confirmation, for example.

@@askleonotenboom Yes, that would make sense. Passkeys certainly sound quite 'comforting' with their approach to security. Let's hope more organisations take it up! Thanks Leo.

It still doesn't make sense. Passkeys create a huge messs. Suddenly you have sperate "password(key)s" per account and per device. You cannot save them in a flash card, you cannot even print them on a backup paper and on top of that you still need to keep the old passwords, for the case you loose/break/being stolen/or just buy new device. And in a passwordless world, loosing your device means looseng your digital life, because you cannot use your mail if you don't have a password that you can remember

They’re one of those things where it takes a while to get a feel for them. That is, you’ll need to read a few things and watch a few videos. John Savill has a deep dive for example. An hour long video.

No, that's a PIN to simply use the phone. The password is the public key/private key and works behind the scenes. Public key on the server and private key on the device. Lose the device and it's not a problem since the server will generate a new private key for your new device.

The key is not hacked. It's still secured by the security of the device it was on. AND you can immediately deactivate that key remotely if you like.