Are Passkeys exportable and re-importable by another service, site, or system? As described above, if my Google Account is terminated by Google without recourse (which absolutely happens), do I lose access to all sites that I used solely a Google Account Passkey for once my phone stops working?
If you are truly paranoid that your major device accounts are subject to termination without recourse (which if that happens you generally have lots of other problems and should maybe cause you to rethink your other trust relationships with such vendors and which devices you are buying), you can build your own Passkeys with WebAuthn standards and roll your own recovery/backup strategy. (Most FIDO compatible WebAuthn keys already work today anywhere Passkeys are supported, Passkey is just the "brand name" for those standards plus a soon-to-be-standard Bluetooth LTE handshake plus Vendor-guided backup and recovery plus whatever cross-device ecosystem "interop" standards the Big 3 eventually settle on.)
If this is the case, then maybe there will be some solution through Google Takeout. Apple and MS seem less interested in this, but if one of them can generate an export, I can see services appearing that can work with that exported data.
> you can build your own Passkeys with WebAuthn standards and roll your own recovery/backup strategy.
This....or I can stick with passwords, print them out annually and put them in my fire safe. The KISS principle works here, and I can't imagine a non-techie person who works in a socially-risky field being able to do so.
> If you are truly paranoid that your major device accounts are subject to termination without recourse (which if that happens you generally have lots of other problems and should maybe cause you to rethink your other trust relationships with such vendors and which devices you are buying)
Complaints by users who have Big 3 cloud accounts closed for unspecified "violations" are common enough to make it a concern. I take other protections against something like this, but I absolutely do consider it a risk, and would generally advise people not to keep all their digital services under one roof. If you use Gmail for email, then use Microsoft or Apple for Passkey, Bitwarden or 1Password for Password Vaults, etc., etc.
So far as I'm aware none of them are planning key exports any time soon. Keeping keys to the various secure enclaves of user's devices is a key part of the security footprint they are trying to establish. That's why multi-key enrollment is the base case in all Passkey systems: recovery, multi-device support, etc all hinge on continuously expiring old keys and auto-enrolling new ones. There's no export, and cloud backups aren't "backups" but different, Vendor escrowed keys (often themselves in hardware cloud secure enclaves that cannot be exported, only new keys added to keychains) and ways to attest for (sign) new keys in recovery situations.
As I said way above, the theory is that enrolling all of your devices and all of your top-level recovery accounts will be easy and convenient enough on every website, not just your bank (given how many banks still don't even support proper TOTP, hopefully better than some banks today), and enough so that everyone does it by habit. I agree, there's huge practical risks that someone gets it wrong and there's all sorts of ways what should be easy turns into complicated soup that never works right. That's the brief glimmer of hope here offered by the Big 3 alliance on this and making it a major marketing endeavor. They've put a lot on the line for this.
> This....or I can stick with passwords, print them out annually and put them in my fire safe. The KISS principle works here, and I can't imagine a non-techie person who works in a socially-risky field being able to do so.
The hope is that with the Big 3 all in agreement here on passwords needing to be entirely replaced and the only way that happens is if what replaces them is as easy and uncomplicated as possible for non-technical to use every day, Passkeys will see strong implementations everywhere and that cross-vendor multi-device interop will be strong enough for everyone to rely on (even if you distrust one or all three of the Big 3).
> Complaints by users who have Big 3 cloud accounts closed for unspecified "violations" are common enough to make it a concern. I take other protections against something like this, but I absolutely do consider it a risk
I consider it a risk too, but as with all things security every risk needs to be evaluated within the template of a larger threat model. Email is already the de facto chokepoint for recovery of almost any account (and passkeys don't necessarily change that, "Forgot Password" flows still probably exist in passkey worlds, just differently). You have a ton of eggs in whatever basket is your email provider (and for the majority of people often one of the Big 3). Phones are already the de facto chokepoint for account access (whether because of TOTP or single ecosystem "apps" or all sorts of other lock in mechanics). Passkeys don't substantially change these existing deep trust relationships (and weren't really designed too), most people in most threat models the amount they are trusting their various relationships with the Big 3 doesn't substantially shift with a switch to Passkeys. (For good and bad. Absolutely some people are underestimating exactly how much they trust one vendor or another and how much they have to lose if their account is suspended for any reason without warning or easy recourse.) (Your threat model is your own and will vary, of course.)
On top of that, other vendors will be playing ball in this space. Mozilla isn't a direct part of the "Passkey Alliance" but has stated their interest in Passkeys and cross-platform/cross-device interoperability. There will be more, too, over time. Possibly enough paranoid people will roll their own that good self-hosting and open source options will roll out eventually, even if most people won't use them and most people won't need them in their personal threat models, having more options is always a good thing (and Plan B if your threat model changes for any reason). All of this is in a cloud of enough open standards that vendor lock-in, while maybe not impossible, should be unlikely.
You are right to be worried. You are right to be questioning all of this. I appreciate your concerns here (I know I have an uneasy relationship at best with at least one of the Big 3 myself). I hope I've offered at least some reasoning on where some of your concerns may be mitigated by the ecosystem as a whole.
