Sure. But am I still locking my ability to access that account permanently to Google? Can I login via Chrome on an Apple/Windows platform and add a passkey there?
I’m also a bit worried that this permanently entrenches these as the platform vendors because no one is going to port to a new platform unless you’re already a major tech company (maybe).
Google actually outlines that very scenario near the bottom of their announcement:
> Using passkeys does not mean that you have to use your phone every time you sign in. If you use multiple devices, e.g. a laptop, a PC or a tablet, you can create a passkey for each one. In addition, some platforms securely back your passkeys up and sync them to other devices you own. For example, if you create a passkey on your iPhone, that passkey will also be available on your other Apple devices if they are signed in to the same iCloud account. This protects you from being locked out of your account in case you lose your devices, and makes it easier for you to upgrade from one device to another.
> If you want to sign in on a new device for the first time, or temporarily use someone else's device, you can use a passkey stored on your phone to do so. On the new device, you’d just select the option to "use a passkey from another device" and follow the prompts. This does not automatically transfer the passkey to the new device, it only uses your phone's screen lock and proximity to approve a one-time sign-in. If the new device supports storing its own passkeys, we will ask separately if you want to create one there.
> For example, if you create a passkey on your iPhone, that passkey will also be available on your other Apple devices if they are signed in to the same iCloud account.
In addition to this, you can AirDrop a passkey from one device to another, even if they don't belong to the same iCloud account.
All of that just locks you into Apple’s platform and now I have a problem copying that passkey to chrome.
However, a sibling commenter mentioned QR code export/import. That would alleviate the concern and be even more elegant, especially if it automatically created a new passkey registration instead of just copying it around.
AFAIK QR code export is not a thing, just speculation for how passkey exports could work (which I doubt since QR codes get hard to scan the more data you pack into them; maybe you could ask the user to hold the camera to the screen for a minute while the target machine cycles through each passkey, or cycles through qr code data itself to facilitate error correction and 100% data transfers)
That commenter is mistaken. The QR code is for authenticating on your computer via your phone over Bluetooth. It does not export the token to be used by another authenticator, you have to have the device with the Passkey anytime you use this QR code method.
> that passkey will also be available on your other Apple devices if they are signed in to the same iCloud account
I am not sure I like this. Unless the passkeys are only transferred directly device-to-device, each OS vendor's user cloud storage now becomes the keys-to-every-kingdom uber-target.
If that is a concern of yours, there is an option on Apple devices to disable iCloud syncing for passwords/credentials. This would limit passkeys to strictly device-only.
> Passkeys on iPhone require that you use iCloud Keychain. If you don’t have iCloud Keychain turned on when you try to save a passkey, you’ll be asked to turn it on.
> If you want to sign in on a new device for the first time, or temporarily use someone else's device, you can use a passkey stored on your phone to do so.
No lock-in; you have two phone OS vendors to choose from!
That’s interesting and I think potentially addresses the concern. I don’t think I’ve seen Apple have a QR scanning code option for passcodes but it’s possible that’s just integrated into normal QR in-camera. Apple doesn’t have a QR export does it?
What would be nicer if there’s a way to do this in Chrome on mobile. I’m not always near a computer although I’m reality that’s probably when I’d be adding the passkey via chrome.
In my case I created (1) one passkey for the Apple ecosystem, and (2) a second passkey for Chrome. I had to add the Chrome-specific passkey because Google isn't using native OS passkey support via Keychain.
I don't know if this will be universally true among sites that support passkeys, but Google allows you to create multiple passkeys per account.
You are confusing the location where passkeys are stored (your Android, your iPhone, your Yubikey) and where they can be used (to access your Gmail account).
I don't think they are; they're effectively asking whether accounts will support multiple passkeys. This is a reasonable question IMO: if the protocol is not well-designed different services (account providers) may have different rules about how many passkeys can be attached to your account in their system. (E.g. "2 passkeys ought to be enough for anybody!") And for how they can be managed: removed and updated, particularly.
