Firefox on Desktop tells me to "touch my security key". Not sure how that works.
Firefox Android gives me a few hardware options to store my passkey to.
Chrome Desktop asks me to enable Bluetooth.
Chrome Android asks which Google Account to use.
I use passkeys everywhere I find them. I do not take control or ownership of backing up - instead I have alternative 2fa or hardware key authentication with all those accounts.
For every account I have a hardware key for, there are 3 hardware keys associated with that account - 2 on-site, 1 off-site.
How do you register your off-site hardware key. Did you have to go retrieve it each time you wanted to make an account?
I suppose every time one makes an account one can register the two on-site keys, and then rotate one of your on-site key to off-site and take the off-site key home with you, and then finally register it.
I think you answered your own question! The three key is optimum for ease of rotating (or so you can carry one on person) - but if your house burns down with your phone in it - you will lose anything set up since your last offsite rotation.
Sounds paranoid / crazy - but I have 0 anxiety about being locked out of an account that matters.
Yubikey keys - zero difficulty adding multiple - if a site doesn't allow multiple I wouldn't lock my account down to a single point of failure. All the big players seem to offer it, and I can not recall any that didn't. Google in the "advanced protection" days forced you to have more than 2 keys for this reason.
By count of sites, most sites don't appear to take security that seriously so anything more than a password is off the cards, but the big ones - the ones that actually matter; email, cloud, etc. should all be able to be secured.
Password managers like Dashlane and 1Password have announced support for storing and synching passkeys. As passkeys becomes more popular I expect more providers to step up as well.
Ecosystem lockin is not how we make a new technology like this successful. And all players in the game understand that.
Appreciate the response. And I wish this message was front and center. The Attestation feature is what worries me, when, say, the bank turns it on for a few 'blessed' providers, or mandate a hardware implementation.
This is a privilege I currently enjoy right now, and one I am not really eager to give up.