What happens if you lose your phone? I can’t find any explanation of passkeys that explains how I recover if my phone dies, gets stolen etc.

If you need a new password manager to keep 2FA codes as well as passwords, Bitwarden is open source (AGPL-3.0/GPL-3.0), and you can self-host the server if you want. Only solution that won't eventually become crappified by a business that doesn't care about you.

Microsoft authenticator is such a travesty. Proprietary 2FA, no standards, can't export the seed.

They just moved the saved password functionality to their browser. Just like Mozilla did.

All because of advertising. Strong passwords + not tying the account to an email address is the most phishing resistant thing one can do, however nobody is allowed to do this because they need your email address for advertising. Stop welding my identity to an email address and the entire problem becomes an order of magnitude easier to manage and maintain.

Wait so are people just going to lose their passwords? That seems like terrible PR for a company that want to shift to services. If you rug people just for marketing reasons like that why should anyone trust you with important business processes. This won't be something people can just ignore, if I lost my (homebrew for exactly this reason) password manager it would probably cause close to 40 hours of time cleaning up the mess spread out of months. We're talking about millions, potentially even billions of dollars worth of destruction depending on how many people were stupid enough (yes that's the appropriate word although it's more obvious now) to trust Microsoft to maintain their secrets for them.

Apple keeps pushing PassKeys to me.

Also, Apple requires at least one AppleID password, that I need to keep entering at random intervals - usually when I update any device, but sometimes randomly when I buy stuff on App Store.

Also I still need a Mac user password, which is a different password, of course.

I am skeptical of passkeys. Not of the technology itself exactly, but people’s implementation of it.

Username/password is much easier to grok (for developers and users) and while it absolutely has downsides, as a user, I can fully protect myself with username/password (unique password per site).

Passkeys might allow for fewer _user_ footguns but I worry there more _developer_ footguns. Also as a “power user”, I don’t want to deal with passkeys when I’m trying to automate something or scape my own data out of a website. It’s just another complication and I worry that anything edge-case-y (even approved methods) will break or have complications if you use passkeys (think app-specific-passwords when 2FA rolled out for gmail access).

Because of this I consistently decline passkey usage until such a time that I feel it’s better understood by the people implementing it.

Microsoft continues its was against its own users.

I do not support - under any conditions - an application which DESTROYS existing secrets.

You can stop supporting new ones, but as soon as you destroy old ones YOU are a vulnerability, Microsoft.

How can I ever trust you to not delete secrets in future?