**** The Google passkeys threat model **** So let's pull this together. Google says: "When you create a passkey on a device, anyone with access to that device and the ability to unlock it, can sign in to your Google Account." They then suggest keeping physical control of your devices is easier than watching for phishing attempts. The reality is that every day many phones are stolen and successfully unlocked (or are already unlocked when stolen) by thieves. We've seen the reports lately of iPhone users being totally locked out of their Apple accounts when thieves reset security keys -- and Apple can't help. But whether Android or iPhone, the bottom line is that as I understand this, stolen unlocked phones using passkeys for account security give the thieves complete access to those accounts, until such a time as the rightful owner manages to revoke them -- which could be hours in many situations out in public, far too late. To me, this is putting too much faith in the physical security of the devices, when we KNOW that every day many are stolen, unlocked, and abused. Having passkeys in such situations could make even more accounts instantly vulnerable, given that the passkeys wouldn't need additional authentication to be used by the thief in these scenarios.
https://files.mastodon.social/media_attachments/files/110/305/816/678/596/739/original/4ce7b65a17ab4b39.png