> So what I hear you saying is that if a normal person gets locked out of their Google account, they will also be locked out of every other website they have accounts with.
> Yikes. I guess I’ll be telling everybody to stay far away from passkeys.
This is a bit like telling everyone to stay away from password managers, just because Google offers one with Chrome that potentially disappears (taking all your passwords with it) when they nuke your account.
No, passkeys are fine. Just don't rely on a single, central provider who you consider an adversary.
> Edit: wait, what do you mean if your phone still works? Also, does this mean if you lose your phone you can’t log into anything? How do you recover from that?
If you lose your yubikey/Google authenticator/whatever TOTP, you're in a similar pickle. So then you do account recovery (recovery codes etc.)
> Yikes. I guess I’ll be telling everybody to stay far away from passkeys.
This is a bit like telling everyone to stay away from password managers, just because Google offers one with Chrome that potentially disappears (taking all your passwords with it) when they nuke your account.
No, passkeys are fine. Just don't rely on a single, central provider who you consider an adversary.
> Edit: wait, what do you mean if your phone still works? Also, does this mean if you lose your phone you can’t log into anything? How do you recover from that?
If you lose your yubikey/Google authenticator/whatever TOTP, you're in a similar pickle. So then you do account recovery (recovery codes etc.)