So now instead of relying of memory or my trusty paper notepad I have to rely on an internet connected device and the benevolence of the cloud provider.

Of course, now everybody and his dog will INSIST on using a password..., sorry, passkey for everything, even if that's not necessary. And a special app working only on the latest flagship devices.

Clearly you don't understand how passkeys work - go and do some research before shooting your mouth off...

Well, let's see. The passkey is a complex password stored on my device/in the cloud that a site or program ask for. I unlock my vault with a password/PIN/face/fingerprint and the site/program verifies the device is authorised.

How am I doing so far?

I understand that passkeys add a strict dependency on a specific device, an Internet connection being available, a specific cloud service being available, or a combination of the three, depending on implementation. Any of these is a point-of-failure, which can and does fail in real life, and whose mode of failure is that you're locked out of the service you want, with no easy workaround.

By comparison, a proper password manager with encrypted local storage and sync across several devices lets you use high entropy passwords that are immune to guessing and bruteforcing, and only locks you out if all of your devices are unusable AND you're offline on top of that.

If I'm wrong, I'd like an explanation or a pointer to where I can get one.

Why do you need access to a cloud service to use a passkey? I can store passkeys in my browser or 1Password which are stored locally on my machine.

What happens when your machine decides to curl its toes up?

I do have a pocket-computer (aka smartphone) but it's not my main phone and I definitely don't have it with me all the time.

Storing them in the browser works only when you are on your computer or when you spend an unhealthy amount of time fiddling with softwares and devices so everything is sync'ed and integrated.

"I can store passkeys in my browser or 1Password which are stored locally on my machine."

I can store my passwords locally on my machine in Keepass. I can sync to my local NextCloud and from that to my spare machine.

Keepass is encrypted and protected by its own password which is the only one I need to remember.

There are passkey card options like PIN protected Fido2 cards for 15 quid. 300 passkeys per card. Though you'll want to maintain a backup card or 3 for the important services.

www.token2.com/shop/category/fido2-cards.

We'll see over time, hopefully they are less vulnerable to breakage over a long term than the older TOTP synchronised number generators.

Most (95%) of my accounts that currently use passwords don't protect anything of any value (sorry, but that does include the el Rego. login.)

Basically like suburban fences - keeps honest people… well, honest. The serious miscreant will easily hop over them.

The inclusion of a device identifier in the passkey generation will be a PITA where the service is accessed from multiple devices (phones, tablets, notebooks and desktops - from experience that can easily add up to well over 6.)

Most banking apps seem to use passkeys already (and 2FA) but with most users having everything on the one phone the security is only as good as the phone's I suspect.

I wouldn't mind using an optional TOTP where I provide the secret (key) - the otpauth:// URI format is accepted (either directly or via QR code) by most OTP clients. Getting the six digit code via SMS seemed just plain daft to me.

Handing your security to someone else and insisting on a cloud connection is not safe or wise, especially as all the big passkey providers are US based. Seems more secure as cert based but really makes it less usable and potentially more exploitable due to a permanent file holding the security information.

Password manager, complex by default unique passwords with MFA MUCH more secure. Using passkeys will eventually seen as a bad decision, much like contracting Palantir or thinking an Oracle implementation will stick to budget.

There's a lot of benefits to Passkey for sure, and I don't think it needs any cloud connection as such above the site you're trying to authenticate with. The bigger issue is that it needs some sort of management software, and from what I've seen that's now all over the shop, and least supported on PC.

For the average Joe it protects against a lot of problems. But the average Joe also needs a reliable manager to manage them, passkeys fragmented across 3 apps, and only on their mobile.

It would be great if I could just use my YubiKey to log in to the various web sites and services that I use. It would also be great if I could log in to Windows and RDP sessions at work with a YubiKey.

Is the company I work for planning to use passkeys? Nah, they think Windows Hello is a good idea. FFS.

Do any of the web sites or services that I use support passkeys? Only one of them.

Passkeys are a great idea, but as far as I can see, there's too much "not invented here" and inertia to make them commonplace.

I have an Android phone, an Apple Tablet, a Windows Laptop and Linux desktop.

So I'd have to try and remember which one is set up with which and then find the correct device for that service.

Or I just use Proton Pass across all devices

You can have a PassKey a service >1 device though

I like passkeys and the idea of them - it's the implementation that leaves a lot to be desired. I can't create a passkey on my Nintendo account, despite it having been supported for about two years now, because they use server-side code to only allow their creation on Android or iOS. I have a modern Yubikey which has had support (and been used) on multiple other websites, but no - the site insists I must use a mobile device, and even blocks the Yubikey on those.

Tying your account logins to another layer of account lock-in to a giant provider/operating system vendor is plain stupidity, so unless sites as a whole get their act together and stop limiting by device, they remain a no for me. And for god's sake, let me add more than one passkey so I can log in from another device without having to sync to a server!

Weird I have a Nintendo Account passkey set up on my Windows laptop.

Password managers are all very well for people who use one or maybe two devices.

All though I have a primary PC at home and one at work, I use several devices both at home and work where I either cannot use a password manager or have no desire to use one with.

Some of them will also be 'guest' accounts or some generic account that I don't want any personal data stored on.

I know little about how passkeys work as there seems to be no particular standard but I'm guessing it would be a similar situation as I've described?

Other than a physical key, such as a USB key, I don't see how anything can be more secure than 2FA, assuming the user doesn't fall for social engineering attacks etc?

Or maybe I'm just a stubborn old git who needs to get with the times!!!!

Bugger that. Just look at "the times." Who in their right mind would possibly "need to get with" these times ? "Get without" makes more sense.

Just wait long enough and familar, saner times will catch up with you.