That's weird, I can login to my HealthEquity account (which contains HSA) without any issues and I don't have passkey setup. I confirmed it just now just in case.

That article does say "HealthEquity Mobile and web experience" so maybe it's just for customers who use both, I only use web.

side note, HSAs are also a symptom of a failed Healthcare system

First, in relation to TFA: even if you regain access through a recovery channel, any data that was encrypted using your lost passkey will now be gone.

There are also many exciting new ways you can lose your passkey that wasn't the case with a password you can remember in your mind. The person you responded to is worrying about big tech randomly banning you and making you lose access, in the meanwhile I'm mostly worried about losing the physical device containing the key. I don't think I will forget, say, my Google password unless I got Alzheimers or got hit in the head by a hammer, at which point I will have bigger problems than a lost Google account.

And let's not pretend account recovery process is always smooth and easy. They may require evidence from your other accounts you cannot access now due to the key loss. They may demand government IDs that might have been lost alongside your device. They may also just deem your recovery attempt fraudulent and ban you for no reason (which I similar to the scenario the post you are replying to desctibed.)

Genuine question: what if the recovery asks for a 2nd factor that's e.g. the device which you lost? Is that common?

Personally I don't really trust companies to not do a whoopsie and permanently lock you out when you lose credentials. Especially when the company is big or hard to access in person.

For someone like me who already uses a password manager for everything, passkeys seem to add no security while reducing usability and control.

> A safe password and a good password manager are way better, they don't lock you into any platform.

An open, cross-platform passkey implementation does all that too, and on top of that prevents you from accidental password leaks via logs, MITM etc. by default.

> It's super sad to see all kinds of websites offering you to add a passkey when you log in.

As long as they're not forcing you to add one, what exactly is your problem with having more choice?

Personally, I am grateful for every site that doesn't require my phone number to sign up and uses passkeys for authentication instead, yet I also don't want SMS authentication banned for everybody since I understand it currently works better than Passkeys for many people.

passkeys are a great idea, but poorly implemented

I was planning to make use of passkeys when logging on to various services, so I ordered three physical devices, supporting passkeys (yubikey). I ordered USB C and USB A variants, with NFC support.

Is this a mistake? I am already using password manager and totp for my accounts, but I am tired of dealing with passwords.

Even when using a password manager (bitwarden in my case), it just get tedious bringing out my phone, starting auth app, locating the correct account, reading 6 digit token and logging on.

Passwords are terrible UX for old people in my experience. They try use the same password everywhere, but then password complexity requirements mean they can't use the exact same password everywhere, and then they forget which variant they used on which service, so they just end up going through the reset password flow every time they sign in. I am not convinced that's a better UX than them just using their fingerprint or face to login.

Biometric keys are still a niche techie thing that the average person probably doesn't even know exist. Most people will be using passkeys exclusively through their phones, often unintentionally. And outside the first world it is not uncommon for people do own no computing devices apart from their phones.

Backup keys and recovery codes also do not solve all cases of key loss. One thing I worry about is what happens if I am traveling in a foreign country and loses my belongings. In the past if I can convince someone to let me use his computer I can at least log into my email account as long as I remember my password. If everything is passkey then I will be locked out of all my online accounts until I make it back home, assuming that I have actually properly set up the backup device and keys. Humans are not very good at making sure that backups actually work.

You can’t expect your grandma to go to those lengths. Heck, even most internet-native people probably wouldn’t.

Too bad the spec is stupid and requires password managers to be identifiable so servers can deny the "insecure ones". It's already a pain to use Keepassxc for otp since they all want you to use their apps but it's still doable (the worst offender being steam where you have to hack your own app to extract the otp secret). With passkeys you won't have a choice to use The Google AuthenticatorTM etc because eventually some exec will find they can block every provider except their own to boost app download KPI. I really like concept of passkeys, the simple fact of using asymmetric keys is so much better than giving the secret to prove you have it, but the spec is hostile and thought for vendor closing.

> exportable passkeys

But didn't the author hint that this could get blocked?

My general read on passkeys and their implementers is that exportability is seen as a risky feature, and there's a push to make it as opaque as possible, likely through attestation or similar mechanisms.

[1]: https://github.com/keepassxreboot/keepassxc/issues/10407