> You can either sync passkeys to an online account and across multiple devices, or use multiple passkeys stored in multiple physical authenticators.
But all of that has to be set up in advance, right? What happens if I really only have a single passkey, associated with my phone, and then lose the phone?
The upcoming W3C Web Authentication Level 3 defines a "backup capable" authenticator, which means that it goes beyond a single piece of hardware. Indicating "backups enabled" means that the user has a recovery process, such as if they store the passkeys in their iPhone and then lose/upgrade the model - they can just sign into iCloud on the new device.
Not all authenticators are going to have backups enabled (even ones which are backup capable), so these are really meant as hints so that a website (a la Relying Party in the spec) can guide the user to a proper experience. For instance, if you use a hardware security key fob, they may recommend you keep your password and SMS enabled as options, so you can get in even if you lose it.
> For instance, if you use a hardware security key fob, they may recommend you keep your password and SMS enabled as options, so you can get in even if you lose it.
But if you have this and the old authentication methods, doesn't that greatly reduce the security gains of this? I mean, the old methods still exist, so what you've done is increase the attack surface.
Yes!
> What about desktop machines with no fingerprint sensor or faceID?
You can use a PIN, your login/screen lock password, or an external device offering a fingerprint sensor.
> What happens if user loses the only device on which passkey was enrolled?
You can either sync passkeys to an online account and across multiple devices, or use multiple passkeys stored in multiple physical authenticators.