> who the heck would carry a USB key with them??

> but with this, synced to your password manager of choice, that's A LOT better

While I agree with your general point that passkeys are great, I strongly disagree with these specific points. It's much easier for me to carry a small usb-key everywhere than it is to carry a big-ass phone (I often leave it at home) or my own computer.

With a yubikey on my keychain, I can log into my company's AzureAD from any computer. In a pinch, this also works on a phone if it has an NFC reader. It used to work fine on my iphone 7.

Another use case is specifically not wanting anything company-related on my own computing device. My personal phone isn't enrolled in the company's AzureAD, I don't have their 1passwork vault there, etc.

I'm talking about the "personal use" usecase and not the professional/business usecase. I agree with the value of security keys as being a physical token with low/no risk of leaking. But for personal use there's no way I can make that work for me day-to-day, even less of a chance I could get my parents bought-in on that idea. And I've tried, as someone who actually developed software to interface with this tech directly. I always have my phone with me, but if not, I can always login to my cloud-synced password manager in a pinch. (Worth mentioning, I don't have the same paranoia as some regarding cloud-synced vaults when done right, big reason I left that aforementioned company).

> who the heck would carry a USB key with them??

Why not? I do this. It's no different from any other physical key like a door key, and I keep it on the same keychain too...

> The passkey is usable anywhere (signed up on my desktop, hopped over to my laptop and signed in there with the same passkey).

I don't see how this conflicts with physical tokens like Yubikeys? The tokens help you "remember" the key like how a physical door key helps you "remember" the bitting (which is the real authentication info).*

Just like passkeys, U2F can also be done using a virtual U2F device if you so choose (https://github.com/bulwarkid/virtual-fido). And presumably you could create an off-device portable token to store passkeys...

The real problem at the end of the day is just consistent adoption. There's still a ton of 2FA services that don't accept U2F and only use SMS or email codes...

*: This is a simplified take on things but at a high level that's what's happening.

> Why not? I do this.

Again, you are not the general public. You're a highly technical person. My dad/grandma would never. That's the point.

Are you saying they don't use any physical keys? That would be surprising to me...

I've found it really easy to teach non-technical people how to use U2F tokens. Just tell them it's like a door key but instead of plugging it in and turning, you plug it in and touch. That's all there is. It's been much more intuitive* to my older family members than SMS codes (that sometimes get lost), authenticator apps (that have a huge list of services from which you need to quickly find the one you want and type the code), or password managers (that either cost money or are difficult to set up across devices).

*: I know this because I've never had to do "tech support" for family members that have accounts set up to use U2F tokens, but I have had plenty of calls related to "not getting the SMS code" or "the (insert brand) password manager isn't filling in the password for my account!"

The difference is that I can know with significant certainty that shoving my house key in a random lock won't copy the form of my key and send it to a 3D printer where a thief will get it and use it to access my house.

How can I know that won't happen when I use my USB dongle on a random coffee shop public computer?

This is exactly what U2F protects you from!

You can actually safely plug U2F tokens into random computers and rest assured that the keys inside cannot be cloned. This provides security guarantees above and beyond that of physical keys! In fact, an untrusted computer can't* even MITM the authentication process of U2F, unlike with SMS codes! (Of course, an untrusted computer could fake the UI to try and exfiltrate other info from you, but that's beyond the scope of authentication itself.)

The worst a malicious client can do to a U2F token is to fry it :-)

*: There's some asterisks here, but if you want to know the details check out the U2F spec or this https://www.yubico.com/blog/creating-unphishable-security-ke... for a more accessible explanation. Banking-grade U2F/similar tokens actually behave like hardware crypto wallets and will show the auth request metadata on an internal screen, in case the device you are plugging into is completely untrustworthy.

A random lock (or a street-level camera FWIW [1]) would be better positioned to extract enough data to reproduce the key.

U2F tokens are "Trusted Platform Modules" of sorts. The keys themselves are never visible to the devices you plug them in. They are capable of answering challenge/responses, and having the URL part of the challenge prevents phishing[2].

I am much more comfortable not typing any password on a public computer.

[1]: https://www.wired.com/2015/09/lockpickers-3-d-print-tsa-lugg...

[2]: https://en.wikipedia.org/wiki/Universal_2nd_Factor#Advantage...

Okay.

How is that different from a password? How can you know that when you type your password into a random coffee shop public computer that the computer isn't running a keylogger and sending your credentials to criminals?

> I can know with significant certainty that shoving my house key in a random lock won't copy the form of my key and send it to a 3D printer

Are you sure? https://www.minutekey.com/products/key-copy-kiosk/

You are literally wrong on both cases: A normal key can be quite easily copied and a yubikey or similar security key cannot be copied.

I did a WebAuthn implementation at work and the UX for WebAuthn was fucking awful. Especially on macOS, every browser had a completely separate implementation of WebAuthn, and if you used the Touch ID as a WebAuthn device, you basically could not see it anywhere and deleting it was also a pain in the ass. On Chrome, you basically had to just delete all of your passwords for the last N days to get rid of them.

On Windows, I think all browsers handled it centrally with Windows Hello, but even there the WebAuthn devices just kinda disappear into the ether once you register them, and deleting them had to be done through the command-line. There were also weird ass bugs where the UI would behave completely differently depending on whether or not you had Windows Hello login in use, so websites would need to engineer around it.

Haven't played around with passkeys key, but I imagine the only direction to go is up.

Yeah. With 1Password it's just another item like a password, but named "passkey". And in the browser when you set it up or use it, you get a little overlay on the website in the top-right and you click on it. That's it. Super simple, no faff, full visibility.