That depends on whether you need to have an active account to use your existing devices. For example, an Apple user would need to migrate before things fall out of sync but they have a full copy on every device.
The fallback path here is what you’d do with any other MFA loss. It’s not a federated login system so you’d be looking at some kind of account recovery process for each of the sites where you used your passkey, just like you would if you lost a Yubikey or changed phone numbers.
This is incorrect, there is no fallback once they have shut you out. The correct answer is to not use a passkey that's managed by the device ecosystem.
Citation? Are you conflating losing access to your iCloud account with a remote-wipe? I’ve used devices which had synced passkeys when iCloud was disabled (MDM gaffe) or unavailable due to a password change, and the credentials which had already been synced continued to work without issue.
> The fallback path here is what you'd do with any other MFA loss.
Which, in many cases, is avoid MFA because it's less secure. Yes, less secure because availability is part of security.
And I don't have a better plan to store all those recovery codes than to store all those passwords. So the attacker can still get in with the same effort, but I have to keep getting my phone. No thank you.
I agree that storing recovery codes is a pain point, but they're fundamentally different from passwords in that you don't need to use them for each login. That allows you to put them in cold storage, whether that's an encrypted flash drive, a piece of paper, a box buried in your back yard, or whatever else you want. Doing the same thing for information you need on each login would be ridiculous, but for a once-in-a-blue-moon recovery situation, the lack of convenient access is fine.
> Yes, less secure because availability is part of security.
This is too often forgotten. Availability is a fundamental part of security and must be part of every threat model.
And your threat model needs to be matched with what it is being protected. One size does not fit all.
For example to log in to my brokerage account, I may be ok with a solution where I might lock myself out and have to go to a physical branch to restore access. Because while that would be a pain, it's better than having my life savings stolen.
But to log in to, say, facebook? Availability and convenience is #1 above all, it's just cat videos and other extremely low value stuff so it's not worth any inconvenience.
