Passkeys rely heavily on at least one device remaining authenticated. You have to remember, the average user of a given web service does not have an ISP, they literally only have their phone and maaaaybe a decade old laptop that they haven’t turned on or charged since ordering plane tickets pre-pandemic. It is critical that any solution replacing passwords has to work for this average user who literally only has their current phone and trades in their phone every 1-4 years for another one, therefore they do not have a second authenticated device to verify when they get a new phone or their phone breaks and they buy a new one at the carrier store.
I’m happy to be proven wrong, but from my understanding of how passkeys are implemented, they will either lead to account lockout or rely on less secure authentication methods if the only authenticated device becomes inaccessible/inoperable
Passkeys rely heavily on at least one device remaining authenticated. You have to remember, the average user of a given web service does not have an ISP, they literally only have their phone and maaaaybe a decade old laptop that they haven’t turned on or charged since ordering plane tickets pre-pandemic. It is critical that any solution replacing passwords has to work for this average user who literally only has their current phone and trades in their phone every 1-4 years for another one, therefore they do not have a second authenticated device to verify when they get a new phone or their phone breaks and they buy a new one at the carrier store.
I’m happy to be proven wrong, but from my understanding of how passkeys are implemented, they will either lead to account lockout or rely on less secure authentication methods if the only authenticated device becomes inaccessible/inoperable