Both of the major smartphone companies (Google and Apple) have pretty robust account recovery processes. Are you familiar with all the options they have? Your comment gives me the impression that you are making assumptions about what would happen, instead of doing research on how it actually works.
I experienced Google's recently and it was very robust.
Even before passkeys, the average user would have major problems if Apple and Google didn't have good account recovery processes.
There's nothing different about using a password vs. a passkey that makes it easier or harder for vendors to lock you out. I am not sure where this misconception comes from.
Whatever process a vendor requires someone to go through in order to gain access to someone's account when they pass away remains the same whether the user previously used a password or a passkey to login.
Are you aware of any vendor that actually does have differing policies based on the account's login credential type? I'm not aware of any.
The only one who can lock me out of my relationship with e.g. HN is HN.
With passkeys:
Now I can be locked out by HN or by the passkey provider.
Sure I could use a local passkey provider, but the protocol provides a way for the site to enforce a whitelist of passkey providers, so it's not clear that would be an option. Particularly for businesses like banks which tend to adopt an approach of "if a security restriction is possible, it should be applied". Or even just the typical tech PM perspective of "we want to include logos for the log in with X, and I think more than 5 logos is ugly so let's just whitelist Lastpass, 1password, Google, Microsoft and apple and be done with it"
If I want to move a password, I either already have it memorized or I find it in my manager and write it down.
If I want to move a passkey out of my Apple keychain, last I heard the answer is to just make a new passkey. The important part of the secret is 100% under their control. It makes me very squeamish
(1) is already true today. There is no way for services to enforce whether a passkey is stored in software or hardware.
(2) I understand you don't like the user experience. But to make a technical clarification: requiring a user action to prove there's a human involved in the login action (e.g. by clicking a button in UI or requiring Touch ID) does not necessarily mean there's another factor involved at all (MFA). What you are describing is more of a "liveness check" than a separate factor/separate credential.
(1) is already true today. There is no way for services to enforce whether a passkey is stored in software or hardware.
Challenge: Go and try to register a non-blessed passkey type with PayPal and come back and share your experience.
(2) I understand you don't like the user experience
Pretty much my complaint. Passkeys allow for service providers to do dumb things that result in terrible UX. With Password + TOTP, I don't get asked to touch a sensor, enter a PIN, enter an unlock password, etc.
In theory any code could be written at any time that does something good or bad. Sure.
But in reality, the people who actually work on these standards within the FIDO alliance do not want a world where every website/service makes arbitrary decisions on which password managers are allowed. That would be a nightmare.
The primary credential a user relies on for logging in (whether it's a password or a passkey) is pretty unrelated to the the "lockout issue". The lockout issue is really the age old question of: what happens if I can't do a normal email-based account recovery flow (aka "I forgot/lost my password/passkey").
People should be setting up Recovery Contacts so that they have a way of getting back into their Google account even if they lose all credentials (passwords and/or passkeys) and all their devices.
i don't really use gmail (i self host for more than 25 years), but I do have few throw away gmail accounts that I registered way back when gmail started. they all have recovery contacts/emails configured.
a few years ago gmail stopped letting me login. password was ok. it was saying something about my login been suspicious or something and that it will send me code to recovery email. i was getting code on recovery email, entering it and getting back message saying "we still not sure that everything is ok, try again later".
it took 6 months before i was able to login to account.
I legitimately wish there was an option for: "I show up for my appointments 100% of the time and I'll agree in advance to pay a giant fee if I ever don't show up, if you promise not to bother me with appointment confirmations every time".
Not sure why this is being downvoted. This user (palata) is correct — phishing is any attempt by an attacker to trick a user into giving up sensitive information.
If you want a deeper dive into the security engineering of iCloud Keychain, the second half of this Blackhat talk by Apple's head of Security Engineering & Architecture (SEAR) is really great:
Does all of that matter if an attacker has access to your device and can take screenshots of your conversations, or read those conversations out of memory in their unencrypted state?
No it doesn't — that's a totally different threat model.
Advanced Data Protection is mostly concerned with protecting data from attackers on the server and in transit.
If you're interested in protections when an attacker has physical access to your device, you should read the "Encryption and Data Protection" section of Apple's Platform Security Guide.
The difference is that if the NSA has physical access to my phone, I'm probably aware of it. It makes routine fishing expeditions across broad populations much harder and more expensive, as well as easier to oppose.
If they can fish remotely and automatically, accountability goes completely out the window.
>all the encryption in the world does not matter if either end of the conversation is confiscated or pwned by adversaries.
Yes of course, but it's not so simple to bypass the hardware-enforced protections that exist both device side and server side. As far as I can tell, it seems effort was made to design/architect everything in such a way such that the protections can't be retroactively circumvented even under legal compulsion.
Disclosure: I previously worked for Apple, but not on the design/implementation of any of this stuff and this is all my own opinions, not those of Apple.
I experienced Google's recently and it was very robust.
Even before passkeys, the average user would have major problems if Apple and Google didn't have good account recovery processes.