Just happened to my in-law. She dropped her phone on the stairs, screen cracked, and became unresponsive. I gave her an older phone I had and swapped the sim fine. But she couldn't figure out how to log in to Google account because it was so adamant telling her to use her phone. Her laptop was logged out of her email, etc. Fortunately I have backup tokens for her from a previous incident heh. I have no idea what other folks will do.
A few months ago Google wouldn't even accept backup tokens for me. I was on vacation, and that tripped enough fraud detectors to cause problems. I couldn't log back in till I got on my home network and changed my password.
Back in the old days with no 2FA and only username/password access geolocation lockouts happened every time I went travelling. You could regain access by getting a code from a recovery email, but that often got locked out as well!
Eventually I set up my own VPN server so that the services still thought I was using my home IP.
I don't know how Google solved this, but it's an old solution. Shamir secret sharing. You break apart your keys into M pieces, where you need N pieces to reconstruct the key, so let's say 3/8. Then you need 3 pieces out of the 8 pieces it's broken into to recover your key. You take each of those 8 pieces and give to trusted sources. When you need to reconstruct your key, you have at least 3 of those give you the key and you recover.
How does this look in implementation. When I Implemented this in multipasskey (YC demo). It would ask you to select contacts you trusted. Then it would send the sharded parts of the key in the background to them. If you need to recover, you make a request to them. It would reconstruct your device key when you got enough pieces. Once you have your device key, it would download your encrypted backup of keys from the remove server and you are back as new.
I called my project multipasskey in 2017/2018 and applied to YC with a working demo and they said nope. I'm going to assume that I sucked at selling it. ;-)
I had the same idea about a decade ago but never bothered to try to implement it. I felt like it would have suffered from the same problem all other technologies have in security: overly complex user interactions. The concept makes sense, but getting N other people to commit is overhead the average user probably doesn't want to deal with.
So I preferred the idea of regular folks for backup, for security reasons. I thought of the idea of professional users like say your bank or 3rd party. The issue is that it's far easier for the govt to subpoena those pro 3rd parties and recover your key. Whereas, they would have to know which of your friends you used for key recovery to be able to do that. The idea was to make it tough for a bad/powerful actor to steal your key. Of course, the challenge is that a non social person would need friends or to depend on ISPs, banks (pro 3rd party providers). My goal besides security when building this project was to break the chain of 3rd party auths (Google, MS, Github, etc) :-(. They use their auth as a way to lock folks into their ecosystem and if you offend them in anyway, you could lose access to everything. Offend Google on adsense and lose your personal photos/email. Offend Amazon on sales and lose your prime streaming/AWS access. Hopefully as the idea picks up, the monopolistic corps can be tackled again to remove such power.
I wholeheartedly agree with where you were aiming your goals. Other thoughts I've had:
- What if access is time critical but your backup people are distributed across timezones? Or they aren't available for some reason? Could be hours to days before you could recover your account
- Adding/removing people as they enter/exit your life could make it a challenge to maintain (PGP + trust vibes)
How? The usage was very easy. You select a contact and add them as your recovery contact (by selecting contact from your contact list) The system adds the key in the background. If they don't have the app, the app asks you to tell them to install the app (viral growth?). The users didn't need to know any thing technical. But install app, and click yes/no like they do with a 2FA app.
I think the challenge is more coordinating the 8 people who will be a trusted part of your life long-term. Also they’d have to be sure to keep their fragments of the key intact through replacing devices, etc, no? Seems like just keeping a Yubikey in a safe deposit box would be simpler.
If it is a safe at your home, you need to have a fixed home address in the first place, and the usual advice about off-site backups also applies.
If it is at friends or family, you’re back at the same problem.
If it is a rented deposit box, you need to trust the company you rent it from (banks don’t usually offer such services anymore, and there are risks like in [1])
I’m not in the crypto world to know why this is the way it is, but if you only need 3 pieces out of the 8 to reconstruct the key, why split it into 8? Is it to have a larger pool should you need it/higher odds of being able to gather 3 should some pieces be lost?
To add, it is pretty poor there is no FAQ linked to from that post to answer basic non-technical questions as to how this is intended to be used.
I assume as a technical person, the answer is I should have a backup device with a friend and/or store my passkeys somehow on my Apple or Microsoft or password manager account as well.
But it needs more explanation in detail from Google!
So now that "friend" has access to your account? How is that more secure than my 32 random character password I store in an encrypted Keepass database that I back up offline?
You can try this: https://support.google.com/accounts/answer/13548313?hl=en, this help center page is linked to from various parts of the product experience for regular users to get a better idea about passkeys if they are interseted.
You have a valid concern, but I'm curious how many sufficiently non-technical users would be reading Google's blog. Practically speaking, it could be a moot point.
I had a fire. I lost every single thing I own, except my landlord grabbed my phone, bless him. Otherwise I would have been totally stuck as all my TOTP apps are on there.
Also, never lose your phone number. I can't get back into my Google account even though I have the username, password and recovery email because I can never get the SMS code.
> Also, never lose your phone number. I can't get back into my Google account even though I have the username, password and recovery email because I can never get the SMS code.
This is an excellent point. Google seems to be uninterested in addressing this transparently, but despite their push for phishing-resistant MFA and first factor sign-in options, they still consider a phone number to be golden evidence.
My father changed his phone number last year and never updated his Google account. Despite having a recovery email address he could access, TOTP, and printed backup codes, it was not enough. Google wanted to “verify it really was him” after a move (and IP address change) and it doesn’t even allow a password reset to be authenticated with any other recovery option. Phone number or bust.
I have heard and read about a number of similar cases where people can get completely locked out of their account despite being able to authenticate correctly, because they lost access to some other required resource that Google decided is essential. I'm very skeptical about the utility of these types of security policies. I'm sure they prevent hacking in some cases, but they also greatly increase the chance of a legit user permanently losing their account which is a pretty freaking bad outcome for someone who has all of their email, messages, photos, documents and more stored in their Google account.
Given the importance of these digital services I expect that refusing to provide support to users in this situation, as Google is well known to do, won't be legally tolerated at some point in the future. Unfortunately this won't be changing anytime soon, so the best we can do is inform others about the risks of relying solely on Google for anything important and hope people backup what they can.
Especially when they migrate previously password-only accounts to requiring what they think your phone number might be, and especially given that it costs under $15 to borrow somebody's phone number for the day without their knowledge.
I need to find one of these services so I can borrow my old phone number for a few minutes to get back into my Google account before it is erased at the end of the year in Google's oncoming purge.
Have had to recover from 0 pretty similarly. My backup approach basically started with the fact that I knew the password to a cloud storage account that I had uploaded a keepass vault to, and that keepass vault had the password to my primary backup provider. In a full no passwords world, I would have had no chance to do so.
Getting locked out of a Google account because I didn't have the number anymore happened to me too. Even though I had everything else even backup email verification, password, etc. Was a massive hassle.
In my country my phone number is linked to my government issued ID so I don't need any physical properties to recover it (this might take some time though but for me it's still the best option).
The solution would be to have a separate phone and phone number used solely for authenticating. It will never leave home, and never be used except to authenticate. Still vulnerable to home fire, however.
And what do you do when you go abroad and a web site says "Oh, looks like you are logging in from a new location - please check your SMS for a PIN now" :(
If google thinks your login is suspicious, it will look for 2FA. If you don't have a phone number tied to that account at that time, it will insist you add one.
This is not true. It will ask for a provided number if you've already provided one, but if you've never provided one, it'll ask for any number and treat that as the provided number for future reference.
> The claim that google will never insist you set up 2FA by providing them a phone number if their ML algorithms decide your log in is suspicious.
1) that's not what I said.
2) that flow you describe isn't asking you to set up SMS 2FA. It is asking you to verify an account with SMS. Likely because there is no other way for them to verify your account.
> Based on my own experiences with a little used google account and finding the messages of other users who have encountered the same error.
The number of people who've reported that error is super small. Even the link you provided is 10 months old. This must be related to an edge case of not having another 2FA set up.
> What is your basis for claiming that my position is untrue?
You said that it insists you add a number. I don't believe that is true. The example you provided does not show that is true.
Passkeys are a new technology and everyone - including users, service providers, and organizations - will take time to learn and adapt. In this interim period the recommended approach is to provide passkeys as an alternative to whatever is already offered. This is the approach that Google and many other service providers are taking.
That said, you are bringing up the right questions on the general topic of account recovery that everyone should be asking even without passkeys: "How would I login if I forget my password / lose access to my password manager / lose my second factor devices" and have a plan. Introduction and adoption of passkeys do not completely eliminate the need for thinking about your account recovery situation.
However, there is one special case where using passkeys is actually better for account recovery. If you create passkeys for your Google account on an Apple device with iCloud keychain, the passkeys are synched to your iCloud, so now even if you lose all your devices because your house burned down, as long as you have access to your iCloud account, you can just get all the passkeys for your Google accounts(and other websites).
Now, you may ask: 'what if I lose access to my Apple iCloud account" -> that's a fair question! Which is why I said Account Recovery concerns do not completely go away - but they can be significantly reduced with passkeys in many cases.
All those issues were obvious from the day zero, and raised multiple times by many people. They're deliberately ignored by the stakeholders.
They strongly want to lock you in to their own authentication platforms (iCloud Keychain, Windows Hello, 1Password*), that's why they don't want to address this.
It's impossible they're not aware about those issues. Anyone with a brain and some technical expertise would come up with those questions in an evening or two, and Passkeys were worked on for months. To best of my awareness, there is no official acknowledgement (support replies "no, you can't do this" doesn't count, that's just restating facts, not acknowledging an issue).
*) Ok, 1Password says they're all about user freedoms and that it's up to user to decide where they store their passkeys - but that's what they say, not what they do. What they do is indistinguishable from Apple and Microsoft.
Relevant excerpt for those too lazy to click through:
"However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple."
On account recovery, the user is strictly no worse off with passkeys relative to passwords and arguably actually better off in many cases. This is not what I'd call deliberately ignoring concerns.
Yes, but if you had to resort to recovery you’re already past Passkeys or passwords. Recovery is not exactly in either’s spec, it’s a separate matter. Saying “but recovery is the same” is pointless - sure it is, by definition, because it’s out of scope.
Passkeys make it more likely that you’ll have to resort to account recovery, because it’s explicitly easier to lose passkey access than a password access (assuming that all platforms that implement passkeys implement password management as well, and that every password manager allows “export” by showing password to a naked eye).
One can write a copy of their password in a notebook and use it from anything with a keyboard and network connection. This mechanism is built in.
Passkeys are explicitly worse in this regard, as they don’t address export at all. Some implementations may be at par, but the overall spec is strictly worse, as it fails to address number of obvious issues.
Firefox on Desktop tells me to "touch my security key". Not sure how that works.
Firefox Android gives me a few hardware options to store my passkey to.
Chrome Desktop asks me to enable Bluetooth.
Chrome Android asks which Google Account to use.
I use passkeys everywhere I find them. I do not take control or ownership of backing up - instead I have alternative 2fa or hardware key authentication with all those accounts.
For every account I have a hardware key for, there are 3 hardware keys associated with that account - 2 on-site, 1 off-site.
How do you register your off-site hardware key. Did you have to go retrieve it each time you wanted to make an account?
I suppose every time one makes an account one can register the two on-site keys, and then rotate one of your on-site key to off-site and take the off-site key home with you, and then finally register it.
I think you answered your own question! The three key is optimum for ease of rotating (or so you can carry one on person) - but if your house burns down with your phone in it - you will lose anything set up since your last offsite rotation.
Sounds paranoid / crazy - but I have 0 anxiety about being locked out of an account that matters.
Yubikey keys - zero difficulty adding multiple - if a site doesn't allow multiple I wouldn't lock my account down to a single point of failure. All the big players seem to offer it, and I can not recall any that didn't. Google in the "advanced protection" days forced you to have more than 2 keys for this reason.
By count of sites, most sites don't appear to take security that seriously so anything more than a password is off the cards, but the big ones - the ones that actually matter; email, cloud, etc. should all be able to be secured.
Password managers like Dashlane and 1Password have announced support for storing and synching passkeys. As passkeys becomes more popular I expect more providers to step up as well.
Ecosystem lockin is not how we make a new technology like this successful. And all players in the game understand that.
Appreciate the response. And I wish this message was front and center. The Attestation feature is what worries me, when, say, the bank turns it on for a few 'blessed' providers, or mandate a hardware implementation.
Passkeys represent the cumulative wisdom and experience (and compromises!) of the whole industry on how to keep users safe online. Appreciate your opinions that these efforts are doomed. It is safe to say, "We'll surely find out!"
No... A passkey is specific to a context (RP), which is why they're not stored on things like Yubikeys (which I think a lot of people in this thread are confused about -- the keying material on the Yubikey isn't enough to create the passkey).
Your Netflix passkey is not the same as your passkey to other services. It's generated as soon as you enroll the passkey with Netflix (by calling "navigator.credentials.create()") and is identified by an opaque handle and also the public key (this is important, because you never get the public key again so you must keep both of these: the ID, and the Public Key, otherwise you can't verify a challenge-response, since you're only given an ID and a Digital Signature at that point).
For a site to use a passkey it calls "navigator.credentials.get({ publicKey: { challenge: ..., rpId: "<same_id_as_used_when_creating_like_netflix.com>" }, mediation: "silent" })"
Which returns the key ID and a signed version of the challenge, or an error.
Everywhere you authenticate you have one or more keys, identified by these opaque handles which are stored in the User Agent and associated with some mechanism for performing digital signatures with that unique key. The User Agent, generally, has to store and distribute this information if you want to use the same passkey across multiple devices -- even if you're using a Yubikey (because, again, it's not storing the key being used for the digital signature, it's storing a private key which is used in the process of generating the digital signature, but not the passkey's actual private key -- i.e., the secret part of the public key generated earlier)
> Passkeys represent the cumulative wisdom and experience (and compromises!) of the whole industry on how to keep users safe online.
That is true _if_ you do not highly weigh all the concerns that have been brought up in this thread today. I do not trust Google to help if things go wrong so why would I ever consider such a system wise? Frankly, you seem to be ignoring concerns if they contradict your belief that this system is better. I'm reminded of Upton Sinclair.
> That said, you are bringing up the right questions on the general topic of account recovery that everyone should be asking even without passkeys: "How would I login if I forget my password / lose access to my password manager / lose my second factor devices" and have a plan. Introduction and adoption of passkeys do not completely eliminate the need for thinking about your account recovery situation.
Talk about victim blaming. Google and other companies introduce policies that make total identity lockout both easier and more problematic. Instead of investing in customer service to deal with this issue, the customer needs to "have a plan". What a crazy coincidence that this policy increases Google's profitability by decreasing support.
But you can set family members/significant others/etc as possible recovery mechanisms! This seems like a really workable solution that I don’t see people discussing in this thread?
> What is the account recovery process if I’m locked out and don’t have my phone, say it’s lost or broken and I can’t verify my identity?
> You can always fall back to legacy authentication options such as passwords and traditional 2-step-verification. In a case where you can no longer remember your password, you can also go through Google’s Account recovery flow. We encourage you to add your email and phone number to ensure you can always access your account.
Then what's the point of it all if a hacker can still get into my account using the traditional methods? This seems to be just opening up another avenue of attack.
If I understand it correctly it will avoid phishing, assuming people notice there's something up when they see a page asking for a traditional login for no good reason when they have passkeys. And it may be a transitionary step towards no passwords or something.
My Google account is set up such that account recovery requires me to actually travel to Mountain View and present several forms of ID, and that's just how I want it to be.
The scenarios for dealing with the loss of Passkeys are effectively the same as dealing with the loss of your Password Manager (if you use one) or otherwise stored passwords.
Dealing with the loss of all your devices that use Passkeys
If you manage to lose access to all your devices that are used to authenticate via Passkeys (e.g., a house fire), then there are two main outcomes: either you have your Passkeys synchronized to a cloud provider or other external entity that still has a copy of all your Passkeys, or you do not. If you do not have a backup of all your Passkeys, they are gone, and you will need to fall back to account recovery for each affected account. If you have a backup of your Passkeys, you would need to regain access to it on a new device and then synchronize the Passkeys to it and use them as normal.
Dealing with the loss of your accounts that synchronize and store Passkeys
If you use a synchronization service attached to an account, it is possible that the account can be deleted or access to it otherwise lost. In this event, you would most likely still have a working copy of your Passkeys on your devices, and depending on whether or not you can export them or reconfigure synchronization with a new account, you would be able to add them to a new account, effectively creating a new account to store and synchronize your Passkeys.
Dealing with the loss of all your Passkeys
If your Passkey account is not only deleted but also tells all your devices to delete the Passkeys, or you lose all your devices and the accounts are deleted due to inactivity then you are basically in the same situation as having lost all your devices and not having a backup. You will need to fall back to account recovery for each affected account.
This is accurate, but by putting your passkey backup with that external entity, you are putting all your keys in that basket. Passwords have an obvious, backup option with zero dependencies on third-parties: A printed list in a fire safe. I would not advise users go heavily with any passkey provider that does not provide a physical backup of a similar form that can be secured through non-technical means, and that can be used by an heir or attorney to act as you when you are unable to do so.
The problem with that is people don't have fire safes. Or homes in some cases (e.g. many unhoused people have smartphones now). Also people need to travel and do recovery without having to fly home to their safe.
The idea that printing a backup is easy and an option for many people is often not the case.
And that is why most people use a single, easy to remember password for everything: even if their house burns, their devices are gone and they no longer have their phone number, they can still remember their password.
For all of its many weaknesses, a password has that one major advantage over all the other authentication methods, and unless a new method provides a similar advantage, most people will keep using a password, just like they did even with the appearance of private keys, biometrics, USB tokens, SMS or TOTP.
And it's a hassle to keep it in sync. If you decide to update your password you need to remember to print out a copy and store it in the safe, oh and throw out the old one.
> (e.g. many unhoused people have smartphones now)
I go out on a limb and say one smartphone usually - that is at heightened risk of getting stolen. With passwords, the person would probably just pick something they can remember in case the phone gets stolen. With passkeys, what should they do?
Passkeys aren't inherently un-backup-able. I do agree though that the most common forms of it (e.g., Android/iOS/Windows secure enclave passkeys) need better ways of recovery and remediation.
That said, what you describe is easily doable in other forms. For hardware tokens, you can have a spare Yubikey that's authorized on your accounts and keep that in a fire safe with its unlock PIN. For something like 1Password, you can print out a recovery kit [1] with the secret key and unlock password.
I think you’ll still need a password on your account for cases where no passkey is available, and possibly for other scenarios of heightened fraud risk. That’s why the setting they’re describing in the blog post is named “Skip password when possible”.
Disclaimer: although I worked for Google many years ago in a role entirely unrelated to Google account authentication, I have no inside info on this announcement, could be wrong about what I say in the first sentence of this comment, and am not speaking for Google here.
I agree that recovery is an important question. Maybe they will make sure to prompt for a password at least every N months? I have no idea what their answer for this may be, but they probably have one.
And if I loose for some reason access to my phone number, termination of current number to create a new line with a new phone, I loose access to Gmail forever ?
Possibly. Security has made internet enabled accounts outright user hostile. Try helping a 70 year old guy get into his Gmail again. I despair over the disrespect Google and the other major internet corps show their tech-naive users.
I've heard "I'll call them" far too often, and am perpetually forced to share the bad news.
If they're in your Google/iCloud, you're already in a game over scenario. The point of all this is to prevent that from happening.
You can try to recover by revoking all your passkeys and starting over with hardware tokens, but that's likely what a sophisticated attacker is going to try as well, and they're probably faster than you.
How is that better than passwords? I backup my encrypted passphrase database to a cloud provider. When my house burns down and all my devices are lost, I get a new device, download my own passphrase manager app, download the passphrase document, and continue as before.
If someone breaks into the cloud provider and downloads my passphrase document, nothing happens.
If they break into my iCloud then they’re in my iCloud. They’re not in all my other accounts, because I use an encrypted password manager that isn’t iCloud.
Think of it as using iCloud as your password manager and storing your OTPs - someone breaks into your iCloud, they get access to all the passwords and OTPs to login to any service in iCloud.
Always take the security of your password manager / sync accounts seriously. Use hardwre security keys if needed on the "root accounts".
iCloud is unfortunately impossible to adequately secure for that use case.
If you shoulder-surf somebody's phone unlock PIN and grab their phone, you have everything you need to take over their iCloud account, including their passkeys and the capability of locking out all of the victim's other trusted Apple devices and changing their iCloud password.
This was very surprising for me to witness first hand – fortunately not in the identity theft scenario, but only when observing a relative regaining access to their iCloud account using only their iPad they were logged in on.
It is a fair observation. And I can see why users tend to be alarmed about this. Although in my experience users tend to significantly underestimate the real risks of online attacks relative to these more visceral threats.
Let met ask you: has that discovery made you stop using your iPhone, or storing passwords or other critical data in your iCloud? If the answer is "No", then you're strictly better off moving to passkeys stored on iCloud as well.
> Let met ask you: has that discovery made you stop using your iPhone, or storing passwords or other critical data in your iCloud?
Yes, it has (the latter). I was a big fan of (non-synchronized) on-device passkeys, but this has significantly changed the threat model for me.
I use a third-party password manager exclusively now, and I'll probably be using its synchronized Passkey implementation too if it turns out to be any good.
As soon as Apple starts offering a different set of security trade-offs (e.g. make usage of the recovery key mandatory when resetting my iCloud password, or at least implement a timed lockout), I'd gladly start using iCloud Passkeys and maybe also its password manager.
When you get a duplicate of your SIM card you can then verify it is you with a SMS code.
There are also security questions and alternate email you can configure just in case.
What’s the standard then? Should it be possible to recover your account without possessing any evidence whatsoever that you are the person you say you are?
Other businesses have humans on staff which will verify your identity documents. Google simply chooses not to do this, because it is expensive, and their "users" are not their customers.
Yes, remotely accepting a copy of an identity document from the other end of a wire is not a good authentication method. That's because they're not intended for remote digital authentication. Photo IDs are intended to be validated in-person, using the original document, and the photo visually compared to the person holding it.
I get a call from Google One Support. I explain the situation. They tell me to go to g.co/recover to recover my account (I already did this on my own). Same thing happens as before - same two options are given.
Then I'm told Google has a very strict security policy, and accounts cannot be changed in any way by support. So going through the recovery process is the ONLY way back into my account. So the call ends with them saying "I'm so sorry I can't help you." [1]
They have offered this since 2017, in response to the Podesta email hack. It's free, but it's not the default, because traveling to a Google site is prohibitively expensive for the vast majority of their users.
Is there something there that explains how the recovery process is different? The only thing I see in the FAQ is somewhere that they link to the normal account recovery page, and say that you'd have to order another hardware token.
I've been locked permanently out of a (thankfully tertiary) Gmail account because their ML didn't like that I logged in from my new house. The option was to accept a push notification to a long dead and wiped phone.
Their state handling for the push notification based MFA factors is _atrocious_. I have had to “re-delete” a long wiped phone (or two) multiple times from more than one account. It seems to have finally stuck in the past year, but I’m suspicious that one day it could bite me in the ass.
Given your response you should read up on the reality of Google Account recovery, because the usual horror story is not that you have "no evidence whatsoever" but more like "I have all the evidence in the world including recovery codes, TOTP backups and a valid password and somehow I'm still locked out".
If you travel in an other country and loose your phone or the phone gets stolen. How can you log into Gmail from anything else if you need access to travel or anything else ? Like receiving a confirmation of identity by email from the bank or another service ?
Despite what many companies seem to believe, looking at a copy of somebody's identification presented remotely documents does not constitute identity verification.
Photo ID is (relatively) secure in exactly one use case: Verifying that a person standing in front of you is who they claim to be. Everything else is inane pseudo-security.
Depends on the recovery mechanism. Providing a government credential with a live selfie is the gold standard. If a company doesn't support that, they're being cheap at the cost of security (you can perform such an identity proof for ~$1-2/per successful proof through a vendor like Stripe Identity or ID.me).
Passkeys solves for digital identity compromise (credential theft or stuffing/spraying), but you must rely on other mechanisms (such as a I mention above) if you want to elevate identity assurance higher in the event of credential loss.
(consumer IAM is a component of my work at a fintech; auth/creds security, passkey rollout, high identity confidence when an account is recovered, etc)
How do I actually give them my real government document with it's physical security features through the internet? Just take a grainy photo of it? Really secure!
It at least avoids the user being phished or being compromised by reusing passwords.
But it seems in this case the account recovery is just using the password so the passkey is mostly convenience and maybe Google trying to move things away from passwords more than a complete change.
Passkeys are instead of the password. You can still login using your password. This way, you don't have to keep entering your password if you have access to a device with a passkey and can access that device.
Passkeys don't (only) replace passwords – they usually also replace another authentication factor as well.
That other factor might still be available for account recoveries (together with a password or recovery email etc.), but if either are not regularly exercised, users might forget them or lose access to them and not notice until they also lose access to their passkey(s).
That said, Google's and Apple's passkey solutions themselves are cloud-synced (with no way to opt out), so as long as users of either can still access their Google or Apple account, they would not be totally locked out.
Sure, but is that adequate? Not having people practice their passwords seems to be an anti-pattern for selling premium support in password managers, while many other apps ask with planned frequency.
If you are on Apple ecosystem, iCloud can sync. Other password managers like 1Password can also be used to store your passkeys. If none of the above, you can always set up a physical security key and leave it at home.
IMO if you're reading hacker news, you're fully capable of setting one up and leaving it in a safe locale for recovery.
>Note: To use passkeys, iOS 16, iPadOS 16, macOS 13, or tvOS 16 (or later) is required. iCloud Keychain and two-factor authentication must also be turned on.
A lot of services, but not all, will let you add passkeys which are tied to a password manager (e.g 1password) and not a physical device. If you've got one of those set up, you can download it on a new device and then gain access that way. In the case of 1password, this means you either have to remember your master password and your access key, or you have to have this stored somewhere safe. Perhaps choose a memorable password[1] and then encrypt an sd card and use one of these[2] in your wallet or a keyring usb drive or a yubikey so in the event of a fire all you have to do is grab your wallet or keys and you're good to go. Alternatively you could store this information in a safety deposit box, or with a trusted relative, or even your lawyer if they offer such a service.
At the end of the day, it's the individual's responsibility to determine how much they value their digital security and take what they deem to be the necessary steps, expenses and precautions to protect it. The only other alternative would be for Big Tech to have some kind of integration with the state, so that your digital accounts are tied to something like your passport or social security number, so that there are procedures available for regaining your digital identities in the event of catastrophe, just like you can do with your physical identity.
I personally think that the latter is where we are heading, not necessarily because of scenarios like you've mentioned, but because it's only a matter of time until AI advances to the point where it's going to cause a dangerous breakdown in trust and the only way it's going to be fixable is with some kind of system that is tied to physical reality. The internet will end up splitting into two, with the majority spending their time on the "verified" web, which will be websites using OAuth that will require you to use an account with one of the big providers who will have verified with the government or third party agency who you actually are. And then any websites that don't require this will form a sort of new, more accessible "dark web". I honestly think the majority of people are feeling that wary and weary of the internet at this point that they will happily choose the verified web, regardless of the surveillance implications.
What happens if there's a house fire or something and all my devices where I'm logged in with Google break? How do I log into my account again?