Passkeys are supposed to be bound to one device and protected by that device's OS's secure enclave. If you have a second device you're supposed to create a second passkey.

That's why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn't fit the security model.

[–] zea_64@lemmy.blahaj.zone 3 points 3 days ago (1 children)

Websites should not get to dictate my security model. I'll accept annoying me about being less secure because I get that people are dumb, but you've gotta choose somehow! Also, any passkey is safer than a password, so that's still BS.

[–] Jesus_666@lemmy.world 3 points 3 days ago

The logic behind it is that a smartphone-bound passkey represents two factors of authentication: what you have (the phone) and who you are (the fingerprint used to unlock the phone's passkey store).

Anything on a PC is easily copied and can only ever be safely assumed to represent one factor: what you know (the password to unlock your password manager). Thus the benefit of getting a two-factor authentication in one convenient step falls away.

Of course it's still super annoying, especially if you don't really trust your smartphone OS vendor and use a portable password manager already.

[–] Assassassin@lemmy.dbzer0.com 3 points 3 days ago

Yeah, that's how I understood it to work, as well. I didn't mention it because I've seen a bunch of different implementations that don't seem to work that way. I didn't want to speak too much on that specific point, since I don't have a very thorough understanding of it.