Is the fact that you need access to an already- enrolled device to create additional passkeys part of the threat model that passkeys resolves, or just an annoying detail? And is this for every site, or just once per device? I can just look it up, this thread has been great to improve my mental model enough to start considering trusting it.
Its per-site. So the first time I log into GitHub on a new device, I need to do the handshake with another device. The first time I sign into Coinbase, I need to do the handshake with the other device.
So this typically means when I get a new device I'll have my Yubikey in a bag or something with me for a while and pull it out from time to time. Eventually practically every site I use gets enrolled on the new device and I never actually need to reach for the Yubikey or my phone or whatever.
I don't really make any concerted effort to go through each and every account when I get a new device, it'll pretty much just happen eventually. When I do sign up for a new account that supports passkeys I do try and make an effort make a passkey on at least two devices though, often at least whatever device I'm using to initially register and my yubikey. Then I'll make a point to log in sometime in the next few weeks on another computer and create a passkey there. Eventually I'll probably end up logging in and making passkeys on most of my devices.
Needing to auth with an existing passkey is a major part of the model. If you could just log in and create a new passkey with just a regular password, what's the point?
