> The thing that google/Apple have brought to the table is cloud backup of your private keys (yes, you should have lots of questions about how that is managed).
Absolutely. I keep my BitLocker keys in my Microsoft account because it's a simple solution that provides good enough security for me. If someone wants access to my data they have to get the key and my disk. I understand it and I'm satisfied with how it works.
With passkeys, having a cloud backup doesn't even make sense to me. If I'm using a YubiKey or a TPM, the private key can't be extracted to back it up, so what do they back up? Do I have to opt in to a weaker system to get cloud backups?
At the very least, I should be able to designate trusted parties (parents, siblings, kids) where at least one of them has to approve the recovery of a cloud backup. Microsoft, Google, etc. shouldn't be able to access it at all. I trust my family, not big tech.
Should you trust Apple? Is this secure enough if a password can still be used that recovers all these keys?
Ultimately there is always a convenience/security trade-off. The “passkey” concept has it right for the 99% of users case (in my opinion). For that 1%, it’s still WebAuthn, so nothing stops you from using a Yubikey with a second safe-held Yubikey for disaster recovery.
I’m guessing that means there’s some kind of key derivation happening which means it’s super similar to modern password managers IMO. I realize there are some benefits, but in a password based world I can memorize my highest value passwords and salt others with a common password.
I don’t see the value in making such a big change for such little gain.
Absolutely. I keep my BitLocker keys in my Microsoft account because it's a simple solution that provides good enough security for me. If someone wants access to my data they have to get the key and my disk. I understand it and I'm satisfied with how it works.
With passkeys, having a cloud backup doesn't even make sense to me. If I'm using a YubiKey or a TPM, the private key can't be extracted to back it up, so what do they back up? Do I have to opt in to a weaker system to get cloud backups?
At the very least, I should be able to designate trusted parties (parents, siblings, kids) where at least one of them has to approve the recovery of a cloud backup. Microsoft, Google, etc. shouldn't be able to access it at all. I trust my family, not big tech.