The first time I log in to a service on a new device it'll prompt me to sign a challenge with a previous passkey. If I've got my yubikey handy I'll just plug it in and sign it and add a new passkey to my new device. If I only have my phone the site will flash up a QR code I scan with my phone which signs and posts back the proof to a callback URL for the site. I only need to do this once per device if I add a passkey to the device.
Is the fact that you need access to an already- enrolled device to create additional passkeys part of the threat model that passkeys resolves, or just an annoying detail? And is this for every site, or just once per device? I can just look it up, this thread has been great to improve my mental model enough to start considering trusting it.
vel0city|1 year ago
threecheese|1 year ago