Brian Anderson (He/Him)@btanderson@infosec.exchange
@markwyner@mas.to I think the problem here is that βOne Key to Rule Them Allβ is a fine slogan, but actually a very difficult and impractical strategy to manage. Passkeys, digital and physical, need to be viewed as one part of a multipart solution including having alternate authentication/recovery methods, backup keys where possible, etc.
I love my yubikey, its reduced my overreliance on password managersβ¦it was great until I left it home while on vacation out of state. But having other secure authentication methods available blunted the impact somewhat.
The bigger problem is the uneven, inconsistent way passkeys are implemented in products. Itβs absolutely impossible to teach someone not already infosec savvy how passkeys work, because the UI from site to site, app to app, is so janky.
Brian Anderson (He/Him)@btanderson@infosec.exchange
@markwyner@mas.to also, btw, I support the βbuy two, register two, hide oneβ approach to hardware keys.