But if you could back up a passkey, wouldn't the key just be a password?
(I do agree with you about backups being essential, but my conclusion was "the idea is fundamentally flawed," rather than "it's one tweak away from greatness.")
No, because unlike a password you never provide the private key for a passkey to the site you’re logging into, which is how many password breaches occur.
This is the irreducible problem. It's the Emperor's New Clothes™. So either the secrets get generated and stored in tamper-protected hardware, or they are stored somewhere else that can be made portable. For the latter, then they ought to be serializable into some standard form.
