Passkeys are supposed to be bound to one device and protected by that device’s OS’s secure enclave. If you have a second device you’re supposed to create a second passkey.
That’s why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn’t fit the security model.
Websites should not get to dictate my security model. I’ll accept annoying me about being less secure because I get that people are dumb, but you’ve gotta choose somehow! Also, any passkey is safer than a password, so that’s still BS.
The logic behind it is that a smartphone-bound passkey represents two factors of authentication: what you have (the phone) and who you are (the fingerprint used to unlock the phone’s passkey store).
Anything on a PC is easily copied and can only ever be safely assumed to represent one factor: what you know (the password to unlock your password manager). Thus the benefit of getting a two-factor authentication in one convenient step falls away.
Of course it’s still super annoying, especially if you don’t really trust your smartphone OS vendor and use a portable password manager already.
Passkeys are supposed to be bound to one device and protected by that device’s OS’s secure enclave. If you have a second device you’re supposed to create a second passkey.
That’s why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn’t fit the security model.
Websites should not get to dictate my security model. I’ll accept annoying me about being less secure because I get that people are dumb, but you’ve gotta choose somehow! Also, any passkey is safer than a password, so that’s still BS.
The logic behind it is that a smartphone-bound passkey represents two factors of authentication: what you have (the phone) and who you are (the fingerprint used to unlock the phone’s passkey store).
Anything on a PC is easily copied and can only ever be safely assumed to represent one factor: what you know (the password to unlock your password manager). Thus the benefit of getting a two-factor authentication in one convenient step falls away.
Of course it’s still super annoying, especially if you don’t really trust your smartphone OS vendor and use a portable password manager already.