sorry about the tags, i have no idea what to put in there for this topic
Hello more security knowledgeable folks
I was reading google’s announcement about allowing passkeys: Google Online Security Blog: So long passwords, thanks for all the phish
And the following scenario comes into my mind:
I am on my phone and create an account on site X.com with a passkey. No password is needed because passkey is more secure - that’s what everybody on the web sais (including google and 1Password in their demo).
What will the website require from me? I assume the following is enough:
- username (email?)
- passkey (generated by phone)
- anything else (nothing, because X.com needs nothing else, most certainly not a password)
My passkey is now saved on my phone, and not synced anywhere coz… idk is it synced anywhere?
3 minutes later, while browsing X.com i drop my phone and it breaks.
Afaiu, a passkey is not something the user sees, so it’s not like a password that i might remember (say i have an excellent memory).
Is my account lost now?
Is the username also lost (i treasure TheBestPessimist
as my online identity), because i cannot prove i am username
anymore?