This is indeed the elephant in the room with WebAuthN.
There needs to be a way to e.g. share the secret seed in one passkey securely with another and put that in a safe deposit box, with a friend etc. without needing access to both keys whenever a new account is added.
It's a real shame that most stakeholders in FIDO/WebAuthN have moved on to passkeys as the canonical path forward over hardware-based solutions like this. Passkeys are definitely better than passwords, but they shouldn't be the only option out there as-is.
Yubico had done some work back in (I want to say..) 2020 to solve this very problem: bootstrapping a new key based on existing trust with an existing key. Of course the trick remains of needing to have access to both keys for at least a short time to create the relationship between them. They worked out some of the mathematics and cryptography they'd need, but it didn't seem to go anywhere. They wrote a blog post about it but I'm having trouble locating it.
I remember this as well, and it's a real shame it didn't go anywhere.
In terms of user experience, they could sell pre-linked "Yubikey pairs" or offer a user experience of e.g. plugging both into the same computer and resetting them via a long press to "entangle" the pair cryptographically.
I _wish_ for this. I have more Yubikeys than I can shake a stick at because I tend to use them as the exclusive MFA method for high-value accounts, such as many of my professional accounts.
The overhead and time I expend to do audits throughout the year and track what account/services are protected by which keys is in equal measure worth it and maddening. If I could just have a few new keys and "cross entangle" all of them, I would sleep as well as the Yubico promise, well, promises.
I always thought of passkeys as hardware tokens that shouldn't be backed up. It needs to be easy to have extra one that lives in a secure place. But like most people don't use secure passwords, they also won't worry about back up key.
I am not sure that passkeys are any more secure than random password stored in password manager. I'm suspicious about password managers used to store passkeys. I guess they are better since have to unlock the password manager.
I have had idea for place that can verify identity. Walk into store, they take biometrics to verify identity, and then give you card. That can be used to unlock accounts if locked out. It does have risk of employees being bribed. But banks don't seem to have that problem. Making sure it is done in person should help.
Not being able to backed up, to storage of the user's control, is the issue.
I don't want a Google or Apple backed phone to be the only hardware token secure enough to protect my key.
I want these devices to, RIGHT NOW support copying their keys to another device that neither party can control. I want an open standard that people can implement in a less-than $50 secure hardware device that I can duplicate these keys into. I think the UX of a "Key Safe" that is offline, physically securely stored, and can manually + securely have keys copied into, or copied off without Apple or Google's intervention would solve a lot of concern about the very real lock-in that's in play right now.
There needs to be a way to e.g. share the secret seed in one passkey securely with another and put that in a safe deposit box, with a friend etc. without needing access to both keys whenever a new account is added.
It's a real shame that most stakeholders in FIDO/WebAuthN have moved on to passkeys as the canonical path forward over hardware-based solutions like this. Passkeys are definitely better than passwords, but they shouldn't be the only option out there as-is.