Passkeys - How do they work? How to recover my account?

sorry about the tags, i have no idea what to put in there for this topic

Hello more security knowledgeable folks

I was reading google’s announcement about allowing passkeys: Google Online Security Blog: So long passwords, thanks for all the phish

And the following scenario comes into my mind:

I am on my phone and create an account on site X.com with a passkey. No password is needed because passkey is more secure - that’s what everybody on the web sais (including google and 1Password in their demo).

What will the website require from me? I assume the following is enough:

• username (email?)
• passkey (generated by phone)
• anything else (nothing, because X.com needs nothing else, most certainly not a password)

My passkey is now saved on my phone, and not synced anywhere coz… idk is it synced anywhere?

3 minutes later, while browsing X.com i drop my phone and it breaks.

Afaiu, a passkey is not something the user sees, so it’s not like a password that i might remember (say i have an excellent memory).

Is my account lost now?
Is the username also lost (i treasure TheBestPessimist as my online identity), because i cannot prove i am username anymore?

Or a different example:

I create a Bitwarden account. For that i need

• email
• passkey generated on phone

I use BW only on my phone and I save other passkeys for apps in BW.
Now my phone breaks.

Does this mean i lost my BW account, along with all the other accounts where i have only passkeys and which were stored in BW?

The most functionaly complete site I have seen is Microsoft’s live.com. With that you need the passkey (e.g. a yubikey) and it’s corresponding pin. Nothing else i.e. no email, no 2FA.

I expect some debate as to whether this is really more secure than a password and 2FA.

No because you stored your passkey in a manager with cloud sync. iCloud does this today but soon they all will including bitwarden.

From my understanding, a passkey is just a WebAuthn credential (i.e. the ones we’ve been using to log in with our hardware security keys for years), that is both: discoverable, and crossdevice.

Discoverable meaning: the first generation of security keys did NOT store any information about what accounts you are using it for, you signed into a website with credentials you provide to the site (username & password), this is a non-discoverable credential.
With FIDO2, the browser can ask the security key (or authenticator), “what credentials do you have for example.com”, and the key would respond with "I have key abcdef which belongs to user joe on example.com, and key lmnop which belongs to jane on example.com`. The browser would then ask the user to pick one.
The site does not need to know anything about the user to generate a credential and store it on the authenticator, it is recommended to know a little about the user (i.e. a username), so that it’s easily recognisable in the previously mentioned prompt

Cross-device simply meaning that it should be synced (i.e. over iCloud, Bitwarden, Google Drive, etc), and should be allowed to be used on multiple devices (including QR code usage). If the sync fails, or syncing was not enabled, yes. The account is lost (dependent on the websites company policies), just like if you’d stored a randomly generated password in a password manager that did not sync.

Thank you for the explanation @foxt.

From it, i infer that a passkey is imo a riskier authentication method than a password.

When i generate a 30 character password, i can write that down on a piece of paper (or on a post-it and stick it to my monitor ), so even if i break my device, i can still access the accounts.
I can just use the password from that piece of paper to login on a new device if my old device is broken.

With a passkey i cannot. As soon as i lose access to the passkey, the account connected to that passkey seems lost forever.

Here is a different usecase (a bit taken to the extreme, but its needed by some on a regular basis), why i think passkeys are detrimental:

I am travelling in a country which does not respect human rights. At the border, they security can simply take my phone and/or laptop and force me to either unlock it, or they somehow hack in and access my files (exploits, etc. - it does not matter for the example how access is gained).

When i travel to such countries, i generally backup everything on my phone to cloud storage, then i wipe my phone and login with an “empty account”. If it’s confiscated there is nothing to find inside.
Finally, after entering the country, i can reset the phone and login with the password that i remember on my phone’s account and in bitwarden.

Now let’s move from password usage to passkeys.
From my understanding, the desire is to totally forget about passwords. Passkeys everywhere!

After i have entered the country: how do i login in my phone’s personal account now? I dont have anything tangible to prove i’m myself. I dont have the passkey either because it’s not human readable.

=> It seems that i need to setup and remember a password anyway for this particular case.

Then, i need to login into bitwarden again, to have access to all my other accounts. If i chose to store all my passkeys directly into bitwarden, this means BW passkey is also in BW, so how do i login into BW?
Do i store the sole passkey of BW in my phone’s account, so that i can login again? Do i use a password?

What i’m trying to get at is: to me it seems passkeys are not a panacea, as all the marketing touts them to be. We must still support passwords (later edit: or maybe recovery codes?) forever.

Is this understanding correct? Is my reasoning flawed somehow because i do not understand how the passkey ecosystem works?

Reading what you guys write sounds too complicated. This is my understanding of passkeys:

1. on account creation a public and private key are created. The non-local entity gets the public key. Locally, your passkey manager (e.g., Bitwarden/iCloud/Google) gets the private key.

2. to login, the non-local entity uses the public key to query the passkey manager. The passkey manager uses the private key to answer the query. Successful answer causes login.

Bottom line: do you know all the passwords you use to login at sites? I don’t. I rely on Bitwarden to know the passwords. That is, to login somewhere, I HAVE to have Bitwarden. Passkeys are no different with respect to having to have Bitwarden (or some other manager that has the private key).

With a password, I can technically go into Bitwarden and copy that password and paste it somewhere else. I do not believe this type of action is possible with passkeys. But there will likely be a way to export your private key and import that private key into a different manager. Say you want to move your keys from Bitwarden to 1Password or something like that, or from Apple/iCloud to Bitwarden. Then it’s an export/import job.

As far as I’m aware, the Passkey specification disallows exporting of the private key. Apple at least doesn’t let you do that.

Apple stores a passkey in the iCloud, which is similar to exporting a passkey, but only works with Apple devices.

Here is an interesting Q&A about passkeys: Passkeys may not be for you, but they are safe and easy—here’s why | Ars Technica

The response to my question would be: a passkey is not human readable, so if i need to get access to an account, then it is correct and advised to use a password.