> More like abuelita gets robbed at gunpoint and made to unlock and clear out her bank account, then has no recourse at home because her device was taken.

You are describing the current status quo, without passkeys. This is already possible.

Well, except maybe for the "without recourse" part, because there are some legal and policy avenues available for dealing with this situation.

▲

mvieira38 9 days ago | parent [-]

The without recourse is the part that matters... With passkeys or 2FA she's at risk of having to wait a day or more to go to the physical location (if there even is one, digital banks are huge in Latin America), with passwords she can just check her notebook the same night and start the recourse through official channels. I know she could just call the hotline, but if 24hr customer service guy can get you in your account same night then the bank is too insecure anyways

▲

chimeracoder 9 days ago | parent [-]

> The without recourse is the part that matters...

Yes, and I'm saying that part isn't accurate either for the story you're portraying with passkeys or for the status quo. That's not how account recovery flows work.

▲

mvieira38 9 days ago | parent [-]

With passwords, no account was even lost in the scenario for a recovery flow to start. An account recovery flow is only necessary because of the superfluous extra security, which will almost inevitably introduce more attack vectors than before (such as a social engineering attack through customer service) if the banks want to service customers like grandmas.

▲

chimeracoder 9 days ago | parent [-]

> With passwords, no account was even lost in the scenario for a recovery flow to start

Given how common mandatory SMS 2FA is for banks, if thieves stole your unlocked phone, they have stolen your account too.

	▲	3036e4 9 days ago \| parent [-]
		Isn't the SMS just 1 factor, and for 2FA they will also need the other F (e.g. password)? Relying on only SMS sounds like 1FA?