That this is not a required part of the spec and that it's possible for a website to go through certification and get an official endorsement of support without supporting multiple keys per-account is a complete failure of the FIDO Alliance.
One of the big issues with how passkeys are being developed is the painful naivety of the FIDO Alliance about actually standardizing good behavior.
Every response is, "but why would providers do X bad thing?" If we're expecting every provider to allow multiple keys, then require it in the spec. Otherwise, if it's important that the spec not mandate that, then don't tell me that every provider is going to allow multiple keys, because apparently there's use-case for only allowing a single key and we're expecting the spec to need to accommodate that behavior.
----
> I have my phone (Android), my laptop (Windows Hello) andnmy primary and backup Yubikeys enrolled. I'm not restricted to a specific platform.
That people are seriously suggesting this as a solution to cross-ecosystem recovery and backup makes me skeptical of the potential of passkeys to ever be simpler or more straightforward than passwords are. Normal users can't be taught not to reuse passwords, they can't be taught to do 2FA, and you think they're going to proactively enroll multiple keys in every website they sign up to?
That's not going to happen; what will happen is they're going to lose their Android phone and they won't be able to do cross-device authentication without it, and they won't have proactively done cross-device authentication on their Windows machine, and the only way to get access to those keys will be to buy another Android phone. "Register multiple devices ahead of time" is only a solution if you expect passkey usage to be restricted to niche technical groups.
That this is not a required part of the spec and that it's possible for a website to go through certification and get an official endorsement of support without supporting multiple keys per-account is a complete failure of the FIDO Alliance.
One of the big issues with how passkeys are being developed is the painful naivety of the FIDO Alliance about actually standardizing good behavior.
Every response is, "but why would providers do X bad thing?" If we're expecting every provider to allow multiple keys, then require it in the spec. Otherwise, if it's important that the spec not mandate that, then don't tell me that every provider is going to allow multiple keys, because apparently there's use-case for only allowing a single key and we're expecting the spec to need to accommodate that behavior.
----
> I have my phone (Android), my laptop (Windows Hello) andnmy primary and backup Yubikeys enrolled. I'm not restricted to a specific platform.
That people are seriously suggesting this as a solution to cross-ecosystem recovery and backup makes me skeptical of the potential of passkeys to ever be simpler or more straightforward than passwords are. Normal users can't be taught not to reuse passwords, they can't be taught to do 2FA, and you think they're going to proactively enroll multiple keys in every website they sign up to?
That's not going to happen; what will happen is they're going to lose their Android phone and they won't be able to do cross-device authentication without it, and they won't have proactively done cross-device authentication on their Windows machine, and the only way to get access to those keys will be to buy another Android phone. "Register multiple devices ahead of time" is only a solution if you expect passkey usage to be restricted to niche technical groups.