Just to be clear, because I do t know the answer to this… if Google locks your account, can you still use your Android device to login with a passkey to that other site?
I guess that'll depend on whether you phone still functions if Google dlocks your account.
But worst case, yes, but only in the same way that if you put all your photos on Google photos and then they block your account, you won't have access to your photos any more.
If that's a concern, then don't do that.
I think the passkey design actively encourages sites to support multiple authenticators, so you just enrol your yubikey as well as your phone and you're good.
So what I hear you saying is that if a normal person gets locked out of their Google account, they will also be locked out of every other website they have accounts with.
Yikes. I guess I’ll be telling everybody to stay far away from passkeys.
*By “normal,” I mean the people who don’t have yubikeys, like myself. Lol.
Edit: wait, what do you mean if your phone still works? Also, does this mean if you lose your phone you can’t log into anything? How do you recover from that?
> So what I hear you saying is that if a normal person gets locked out of their Google account, they will also be locked out of every other website they have accounts with.
> Yikes. I guess I’ll be telling everybody to stay far away from passkeys.
This is a bit like telling everyone to stay away from password managers, just because Google offers one with Chrome that potentially disappears (taking all your passwords with it) when they nuke your account.
No, passkeys are fine. Just don't rely on a single, central provider who you consider an adversary.
> Edit: wait, what do you mean if your phone still works? Also, does this mean if you lose your phone you can’t log into anything? How do you recover from that?
If you lose your yubikey/Google authenticator/whatever TOTP, you're in a similar pickle. So then you do account recovery (recovery codes etc.)
> Also, does this mean if you lose your phone you can’t log into anything? How do you recover from that?
If your passkey is tied to the phone (which will be true for most people), losing your phone will be an interesting experience.
Assuming you remember your Google account password, you will have to buy a new phone.
In many cases you’ll need a new SIM or eSIM as well, eg if you have SMS based 2FA enabled. If you use Google Authenticator, your phone’s gone, so you better have a fallback — either SMS or fallback 2FA codes.
If you need a SIM, and used Passkeys to login to your telco’s online account … um, tough. You’d better call customer support.
Essentially, passkeys tied to one device is a house of cards. When things go wrong (eg you lose your phone or your dog chews your Yubikey) it’s not pretty. But of course security pros know this, they have backups and spend time securing and testing the backups.
Most ordinary users won’t, of course.
More interesting is the underlying assumption that your Google account works. If your stolen phone was used to do something shady or simply something Google’s account protection systems don’t like, your account may be locked out. At which point things get even more interesting.
That said — cross platform Passkeys should exist soon.
1Password is implementing Passkey support[1], hopefully KeePassXC will do it too, then users of those apps will be okay. But I’ve no idea how easy it’ll be to move keys around.
The spec really needs to support interop better, with formal import/export support. You shouldn’t be able to say you support PassKeys if you don’t support import/export.
But of course even then, most users won’t export or back up their keys ¯\_(ツ)_/¯
Worth noting is that this is desktop only (and arrives June 6). They are not supporting passkeys on their mobile apps yet, and AFAIK there is no timeline announced for when that will happen.
