| ▲ | bo1024 7 hours ago | |||||||
I thought the point of passkey security is that you don't have to send the private key around, it can stay on your device. Different passkey per device. Lose or destroy a device, delete that passkey and move on. | ||||||||
| ▲ | rcxdude an hour ago | parent | next [-] | |||||||
The issue there being there's a big usability headache with enrolling multiple devices. You really want one device to be able to enroll all your devices (including not-present and offline), but there's no mechanism to do this with the way the webauthn spec works at the moment. | ||||||||
| ▲ | johncolanduoni 5 hours ago | parent | prev | next [-] | |||||||
None of the password managers (including but not limited to ones built-in iOS/Android) work that way. The Apple one (and I think Google is the same) keeps the private key inside the secure enclave (security processor), but it is still copied to each new device - though it is end-to-end encrypted during that transmission. | ||||||||
| ||||||||
| ▲ | slau 7 hours ago | parent | prev [-] | |||||||
That’s how I use them. Passkeys on two Yubikeys. And I tag in my password manager which credentials have what form of auth. UP, TOTP (also stored on the two Yubikeys), Webauthn or passkeys (the former indicating 2FA). | ||||||||