>Aren't the keys device specific so you need to generate new keys on a new device? It's being touted as a security feature
Yes, the keys are device specific. This is a feature and the reason why it's more secure. If it could be backed up (exfiltrated), it would not protect you in case your device is compromised, which is one of the design goals. You could probably work around this by using an emulated key (which is what Apple does I think?), but that would obviously eliminate this key security feature.
> I'm guesstimating that at 1 hour of the user clicking through various interfaces.
I see, sorry, I missunderstood.
Again, it's just like changing a password or a TOTP secret. Unfortunatelly, no standard can fix bad UX design, but I sympathize. Silver lining is that even cheaper hardware keys are built like a tank, and software is... well... software.
> my concern is passkeys are adding too many dependencies on devices/providers.
Which is reasonable. The question is, is the dependency worth the security benefit? It seems many major device makers/service providers think so.
> Giving me a list of possible devices/providers does not address my concern.
Well, I can't do anything about that, can I? Nor can anyone else.
I think this is, again, a question of priority.
TLS is now essentially a dependency for using the web at large, but it wasn't in the 90s. I'm sure that is of concearn to some people, but most agree it's a net benefit.
Yes, the keys are device specific. This is a feature and the reason why it's more secure. If it could be backed up (exfiltrated), it would not protect you in case your device is compromised, which is one of the design goals. You could probably work around this by using an emulated key (which is what Apple does I think?), but that would obviously eliminate this key security feature.
> I'm guesstimating that at 1 hour of the user clicking through various interfaces.
I see, sorry, I missunderstood.
Again, it's just like changing a password or a TOTP secret. Unfortunatelly, no standard can fix bad UX design, but I sympathize. Silver lining is that even cheaper hardware keys are built like a tank, and software is... well... software.
> my concern is passkeys are adding too many dependencies on devices/providers.
Which is reasonable. The question is, is the dependency worth the security benefit? It seems many major device makers/service providers think so.
> Giving me a list of possible devices/providers does not address my concern.
Well, I can't do anything about that, can I? Nor can anyone else.
I think this is, again, a question of priority. TLS is now essentially a dependency for using the web at large, but it wasn't in the 90s. I'm sure that is of concearn to some people, but most agree it's a net benefit.