Nuts and bolts of using Passkeys
I am a relatively long time user of 1P but so far a 'never' user of passkeys. I'm sure it is in my best interest to use them but I am still uneasy with the "nuts and bolts" of their implementation for my accounts.
Lets take GMail as an example as it is the most important service I have outside of 1P, that requires protection.
I am prompted by Google, not infrequently, to adopt a passKEY log in but so far I have declined. Right now, when I need to log in I use 1P to obtain the stored password and if necessary, if asked for, use my physical Yubikey (or my AEGIS authenticator to generate a TOTP).
IF I take Google up on its offer to establish a log in using a passkey...
- will I be prompted to save it in 1P as is the case when generating a "traditional" password? Is this passkey saved within 1P AND on my machine (independent of 1P)?
- I would imagine that with GMail one can then sign in using only the passkey generated previously (with no "need" for my yubikey or Aegis authenticator) and no longer requiring the previously established passWORD. But (any)one can still log into my GMail account using that long held password (but still needing one of my 2FAs?). So still being able to sign into my GMail account traditionally seems like a security flaw?
- I have several devices for which I view my GMail accounts. If any of these devices has 1P installed on it can I use that same saved single passkey or do I need to create and save a separate passKEY for each device? If the latter, I would need to be more specific in the appropriate 1P entry as to which goes with which?
