Deleted passkey question

Question

Created Oct ’22

Replies 2

Boosts 0

Views 1.4k

Participants 2

Hi, I'm just discovering passkeys and I was trying it out for the first time on passkeys.io when I encountered my first question.

I created an account using my email address on my iPhone. This led to the creation of my first passkey, visible in my Apple Keychain, encrypted within my iPhone. After that, just to play around, I deleted the passkey from my Keychain. I quickly realised I wasn't able to login on passkeys.io with my email address anymore. And then I stumbled upon this message, and the last sentence is basically the thing I'm trying to understand :

With the ability to delete a passkey (and presumably the only way of accessing an account) outside of an app, it leads us with orphaned accounts on the said app. Accounts exist on the server but the users cannot access them.

What is the best pattern here?

Boost

Answer 1

Systems Engineer OP

Apple

Oct ’22

You can see the comment I left on that reply :)

A passkey is not an account, just like a password is not an account. Both passkeys and passwords are credentials to access an account. If a user deletes their password-based account today, their username and password still remain in their password manager. The same is true for passkeys.

This applies in the opposite direction as well. If I'm using modern best practices for password management (I have a password manager that creates strong, unique passwords for every account), and I delete my password from the password manager, I'm left unable to log in to that account again until I reset the password. The exact same thing is true for passkeys. Accounts using passkeys still need a passkey reset flow, just like password reset flows today.

0

Answer 2

vltclz OP

Oct ’22

Ok that makes sense, I think I got confused because of the fact that passkeys.io didn't implement any reset flow, so I got left with a totally unaccessible account.

0