Just chiming in to ask -- the immediate need for account recovery is in cases with lost or forgotten passwords. Am I right in assuming that account recovery becomes a much smaller attack surface when using passkeys? Or are there scenarios I'm overlooking?
It’s mostly how sites will likely still allow full account recovery with just sms-based authentication, making account recovery the weakest link. It’s still required, though, in case someone e.g. signs up with a passkey on their Windows desktop then forgot to enroll one on their phone before taking a vacation.
So you're covered for "forgotten" - but "lost" is still an issue. What happens when a user loses their passkey? (stolen phone, no backups, house fire, etc).
Got it, thanks. A blind spot on my part there. It's funny how quickly the concept of losing access to a phone has taken root, I'm fortunate to have never had that happen to me and I need to remember how easily it could.
