A passkey is just a replacement for a password. Google (and other apps/websites) have account recovery processes for users who get locked out of their accounts. The way you get back into your Google account doesn’t change much just because you’re signing in with a passkey vs. a password.

Account recovery is a problem that service providers have to solve (and do solve) regardless of whether a user authenticates to their account with a password or a passkey.

> So what's the point of passkeys if you can get access to them without passkeys?

Some huge benefits are:

1. They are highly phishing resistant. Unlike passwords and popular forms of 2FA (TOTP and SMS), users can’t be tricked into sending their credential to a fake/malicious server. A passkey is bound to the server domain at the time the credential is created, and your OS/browser will simply not send it to the wrong place.

2. There is no credential for attackers to steal from servers in the case of server breach. This is because only a public key is stored on the server, instead of password hashes (or worse, plaintext, if the app/website developers don’t know what they’re doing).

3. Passkeys are guaranteed to be unique and secure. The same cannot be said for passwords. Even a password manager cannot guarantee that every single credential stored in the password manager is both unique and secure. And password complexity requirements often make it a painful game of trial and error to create a secure password, even when using a password manager.

4. Because of annoying password complexity requirements, the process of creating a new password can be annoying and take up to a minute or two of fiddling around, even when using a password manager. With a passkey, the process takes as long as Face ID or Touch ID (or equivalent on other platforms) every time. Every single credential creation and authentication is a fantastic user experience (both fast and easy).

I suggest watching Apple’s WWDC videos. There you will find a very very in-depth answer to this question.

All of the points I’ve made above (and more) are covered in the linked videos.

Move beyond passwords: https://developer.apple.com/videos/play/wwdc2021/10106/

Meet passkeys: https://developer.apple.com/videos/play/wwdc2022/10092/

Deploy passkeys at work: https://developer.apple.com/videos/play/wwdc2023/10263/

If you won’t watch any of the above then you should at least read the FAQ on passkeys on the FIDO website here, which should answer many of your questions:

https://fidoalliance.org/faqs/#PasskeysFAQs

> How can something be protected when the thing that controls access to it has been compromised?

This is answered in the article I already linked above. Here is the link again.

About the security of passkeys: https://support.apple.com/en-us/102195

Specifically, carefully read the following sections titled “Synchronization security” and “Recovery security”. The short answer is that gaining access to the user’s iCloud Keychain contents requires more than just having access to the Apple Account.