I've seen orgs move to passkeys only, then offer reset-questions (e.g. city of first job, etc); because the Customer Service volume/workflow wasn't figured out.
Or your backpack gets stolen.
Oops.
I swear, people who idolize passkey security must never travel anywhere.
PS: "just have more devices with passkeys", they invariably say.
Yeah right because people are made of money, everyone has the forethought, and a 2nd laptop in the US is a great asset when you're in Poland and can't login anywhere.
Confirms that strategy then
For people who only use passwords having an extra device can help too. Google does not necessarily permit a login with a backup code, so to me it seems ideal to grab a spare phone, log into important accounts, and store it with a trusted party/friend.
It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft. Maybe no big deal if you can port your number to a new phone right away. Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)
Literally happened to me in Poland, which is why I avoid passkeys like the plague.
(The thief got caught months later. That didn't help me.)
>Maybe no big deal if you can port your number to a new phone right away.
T-Mobile won't mail a SIM card overseas, and I doubt others will either. There is no "maybe", it's a certainty that you won't be able to.
>Or maybe the trusted friend can help
Yeah, my wife literally mailed me SIM card to Poland.
It took over week.
And a "trusted friend" would first have had to get it somehow.
>Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)
At least I logged into my accounts from that city before the laptop and phone were stolen, so my logins were not "suspicious".
That's with a password.
_____
PS: screw Citibank's mandatory phone -based "2FA".
It takes a bit of effort, but it’s not impossible.
Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.
No need to imagine!
Remove all passkeys from your phone and laptop, then go somewhere overseas without any of those Yubikeys.
Have fun enjoy a "not truly problematic" scenario of getting your Yibikeys from "multiple locations" you don't have access to, while being cut off from your messengers, email, bank account, etc.
Bonus points for having your card locked or stolen at the same time.
Or, imagine the backpack with your passkeys devices being stolen on an overseas trip.
Again: pray tell, then what?
That's a wild understatement. For most users, having a password manager is already very near to the upper bound of acceptable friction.
Updated to Windows Hello and passkey.
Now I can use a 4 digit pin to login.
A lot of services have password reset email features. If the email account has passkey you're screwed. But restore by snail mail can be possible but slow (for paid services). More secure? Don't know but same category of problems already known due to sim swapping attacks in mobile sector. But for sure the Mail account is a high value target.
Storing passkeys in a database may be possible but complex to do it right e.g. backup verification, avoiding to leak while backup etc.
Banking has no selfservice password reset. A lot of work for customer support due to identification. Nobody wants to do that for free and if the accounts are freenyou may get DOSed by bots which trigger passwort resets.
Thank you, then this is still true today?
Disappointing the rollout was botched (recall cross platform and password manager difficulties). Haven’t done research since but even with some new UIs and flows promoting passkeys in the past couple months, haven’t regained my trust either.
