Matt • February 12, 2024 3:05 PM
@kevin “If account recovery is your biggest passkey issue, well, we’re doing pretty well.”
I agree we’re doing better than before (don’t get me wrong, I fully approve of Webauthn/passkeys/etc. as a replacement for passwords), but account recovery is still a common enough thing that I think it’s worth worrying about, and it’s something I rarely see discussion about.
When it is discussed, I see a lot of “use a cloud passkeys provider” (e.g. Google); then the “account recovery” problem is winnowed down to a single account (e.g. your Google account). But then all your eggs are in one basket: If someone else can recover your Google account, bam, now they’ve got access to and control of everything. Fundamentally it’s the same issue as having your “account recovery” method be via email or SMS, where access to a single thing (e.g. an email inbox) gives control over everything that relies on that thing.
I know there’s always a balance between convenience and security. One answer to the problem is, indeed, to simply accept having to write down and store recovery codes for all of one’s accounts. Tedious, but relatively simple (you could write them in a paper notebook to avoid any risk of the codes being stolen via hacking; or store them in an encrypted file on your hard drive that only you know the key to decrypt; etc.). (Something like this is in fact what I do, because while I could store my passkeys with Google, I’m trying to minimize my reliance on their security, as well as avoid the single-point-of-failure problem.) But I know that that’s not something the average user is going to bother with.
Source: schneier.com
