If you can drop a single device in a lake and lose your credential, it’s not a passkey. Passkeys are backed up and synced across your devices to deliver a great and safe user experience, while also eliminating phishing.
If it’s device-bound, it’s not a passkey. :)
@rmondello
I’m going to disagree in the case of hardware keys like #yubikey, which should never leave the device. But you should always have 2 of them for that reason.
Sync is a powerful feature and people should use it. If you have different flavor platforms, creating two passkeys also works fine.
@nekodojo Yubikeys are awesome! Security keys in general are awesome!
But calling what’s on them “passkeys” will confuse average computer users, because the properties of a device-bound key are so different than having keys that are backed up and synced in a password manager.
Call them what they are: security keys. Passkeys are different.
@rmondello
OK I can see your point. Though I can already feel the pressure of vendors wanting to exclude #yubikey from the whole #passkeys push. Making the label not apply to them will accelerate the push to exclude them from the standard and make it acceptable for vendors and web sites to not support them.
Not saying you’re wrong on this, and I think users would be confused either way. I want passkeys to do well. Yubico has been active and supportive of the standard even though they knew they were paving the road that would allow other vendors to steal their market share. If web sites like PayPal decide to support passkeys but not security keys for passwordless login, I’ll be sad.