My point is that we need to address and solve these issues. I agree with you, but if we dismiss them then they don't get solved. The best algorithms are useless if they're too complicated to use and can't fit the reality of an average user. Currently they are hard to maintain for technical users!
I don't think solving the syncing problem is as important as giving users clear expectations. The best way to teach passkeys to regular users is to use analogy. Consider the house key: the physical key that unlocks the front door of your house. You can have two keys on separate keychains so that you carry one of them and treat the other as a backup. But if your key is accidentally lost and potentially in the possession of a bad actor, you will want to change the lock on your front door. And if you do that, it is entirely your responsibility to change the keys on your other keychain.
We do do security by obscurity with our house keys; I don't label my house keys with my home address, while I do label my saved passwords with both the URL and my username. /shrug
I disagree. I think this strategy has been tried for awhile. Decades of security training has improved things but I don't think enough. Email encryption didn't resource get mass adoption until it was a seamless integration like in gmail or icloud. Same with text and phone, via Signal, WhatsApp, and iMessage.
My point is that training doesn't seem to be effective to the general population. Frankly most people don't care. As we both probably know a big part is likely not knowing the importance
This strategy has not been tried. Decades of security training has focused on credentials and objects that only exist inside a computer. And because it only exists in a computer, it is too abstract and not tactile enough for regular users to form a mental model. Yubikey is the one chance where we tie digital security to physical security and give people a clear mental model. Earlier you said that
> The best algorithms are useless if they're too complicated to use and can't fit the reality of an average user.
I agree. So get rid of needing to understand algorithms and simply require users to understand passkeys in relation to their house keys.
Have you tried to convince your friends to use messaging systems like Signal? What about PGP?
> understand passkeys in relation to their house keys.
Except they aren't the same thing. For exactly the reasons I was discussing. How often are locksmiths helping people get into their houses? What about their cars? It's a lot more common that you think.
You didn't get my point. It's not the lack of security training, but the issue is that the security training focuses on intangible things like passwords, domain names, links, emails. Yubikey is the opportunity to break this model and focus on tangible and tactile things that exist in the physical world. A passkey synced using iCloud or Google account does not break that model and will continue to be less understandable for real users than Yubikeys.
There are plenty of cases where I know that people have misplaced Yubikeys. They might have a spare Yubikey. Or the equivalent to finding a locksmith is to log in with a non-passkey method. It's fine and in fact better if logging in without a passkey is considered an unusual fallback.
> A passkey synced using iCloud or Google account does not break that model
Yes, yes it does. Have you seen how hard it is to recover these accounts? There's not uncommon HN posts that do get these solved, but only then by high visibility. A method most people do not have available to them.
> Or the equivalent to finding a locksmith is to log in with a non-passkey method
Sure, it is just that the backup methods end up undermining the security key.
