How do you handle delegation in this case? Let's say I want to delegate access to my account to a partner/friend/employee on a service that doesn't support multiple users per account, charges extra for it or outright doesn't want me to delegate access to someone else (so it's not always possible to rely on the website's cooperation).
Currently I can just message them the password or even write it down on a post-it note and they'll have everything they need to complete the task as me. How does it work with passkeys? Does the spec allow my passkey HSM to securely share the secret by encrypting it against the recipient's passkey HSM? Can it use the concept of leaf certificates to sign a short-lived certificate allowing access to that credential without sharing the credential's secret itself?
I can't advocate for passkeys until the concerns above are resolved. The push for passkeys seems like yet another attempt to remove control from the user.
You can create a passkey for your account on their device, e.g. by selecting "Use another device" when creating it, and scanning the QR with their phone (their phone does not need to be signed in to your account).
This is what I love about passwords. They are tangable and understandable. I would have loved if we could move towards a solution that has the benefits of passkeys (prevents phishing, strong secret, doesn't seen the secret to the server) without ditching the underlying secret being a somewhat human-readable password. It seems that in-browser password-managers get us 99% of the way there. I would have loved to do something like adding a PAKE system to regular passwords rather than a new system built on top of non-human readable keys.
I'm sure we will gain the ability to dump the key to a file or write down onto paper at some point but it seems that we are starting from the wrong end.
Also tangible and understandable is a registry of users who have access to your accounts, that allows you to grant and revoke access (at possibly different levels), without having to reset all your own credentials.
I've got to quit commenting, but humans are undeniably the weakest link in security. While I understand the perceptions and even share some of the concerns expressed in this thread about the loss of control, reverting to a human-readable string as a key would only regress the whole scheme to something that is, once again, as easily compromised as a system protected only by any other human readable string.
We just have to cultivate new habits. Enroll multiple keys or devices. Print the backup codes and put them in the fire safe with your birth certificate. Give trusted friends and family access to recover your account in the event you lose the credentials or get hit by a bus. It's a few extra steps up front, but once it's working, it's so much easier.
Honestly, there are so many people who never have any idea what their password is, so they end up resetting it all the time... passkeys is a net-positive. Now they don't even have to remember anything.
> It's a few extra steps up front, but once it's working, it's so much easier.
It's a few extra steps per site. Every time you get a new device you need to go back to every site you've ever visited and update the credentials. It is maybe feasible for a few important accounts but it doesn't scale.
Whatever solution we have needs to be syncable and able to be exported to a safe once and continue to be usable by new sites and devices into the future. People aren't going to print out their credential list every month to update the fire safe.
The now-unfortunately-named "Password managers" help with this by providing various mechanisms to sync keys with multiple devices, so that every time you get a new device, you simply need to authenticate and transfer the key store to the new device.
The device's hardware security facilities are there to protect the keystore. They aren't /the/ keystore.
Find a key manager. iCloud Keychain, Microsoft Authenticator, Bitwarden, something. Use that. Concerns about migrating devices dissolve away.
The accounts and services I use that support passkeys also support some form of account delegation, recovery contacts, legacy contacts, or family sharing. This includes Apple, Google, Microsoft, and self-hosted services through Authentik, Authelia, and Keycloak.
My experience is not necessarily representative, but I am not sure how big the issue you describe would be, in practice, for the majority of users, who will be, by and large, using one of these services.
What is clearly a major issue for the majority of users is unauthorized account access and resource theft through the use of easily-phished account credentials protected by nothing more than a character string being passed around in text messages and sticky notes.
> What is clearly a major issue for the majority of users is unauthorized account access and resource theft through the use of easily-phished account credentials protected by nothing more than a character string
Is this a major issue though? I think it’s pretty minor, not being able to share or backup my passwords is a pretty huge issue in my books.
Currently I can just message them the password or even write it down on a post-it note and they'll have everything they need to complete the task as me. How does it work with passkeys? Does the spec allow my passkey HSM to securely share the secret by encrypting it against the recipient's passkey HSM? Can it use the concept of leaf certificates to sign a short-lived certificate allowing access to that credential without sharing the credential's secret itself?
I can't advocate for passkeys until the concerns above are resolved. The push for passkeys seems like yet another attempt to remove control from the user.