What do you use?

Not the parent, but the obvious answer is: a hard token (e.g. Yubikey). After all passkeys are just a software emulation of the smart card / FIDO2 mechanism that's been around for many years.

This doesn't solve the problem, unfortunately.

The issue with hard tokens is that there is only one of them. By design, you can't back up a Yubikey's content to a second token. This means that any time you add 2FA to a new account, you must have all of your hard tokens in your possession to enroll them. This means a "one token on your keyring for daily use, one token in a safety deposit box as backup" approach isn't possible.

Yubico did propose a potential solution five years ago[0], but that proposal seems to have gone nowhere. Until something like that gets implemented, FIDO2 (and by extension Passkeys) requires some form software implementation backed by cloud synchronization to actually be usable for the average person.

[0]: https://www.yubico.com/blog/yubico-proposes-webauthn-protoco...

It works well enough. When you need to signup for a new service on the go, you can add your backup key when you get to it. Having the backup key in a safety deposit box hardly accessible seems like a non-goal given you protect it with a pin with a very limited number of retries.

  > When you need to signup for a new service on the go, you can add your backup key when you get to it

Good on paper, bad in practice.

Requires you to remember doing that each and every time. Incidentally this isn't that different from just grabbing your keys like the parent suggested. Only it introduces a new variable: time delay. A lot can happen in that time and we all know the reality is that even a diligent person is going to slip now and then. It surely isn't a reasonable expectation for an average person.

I have three: 1) local usage 2) local backup key 3) remote backup key

every few months I swap 2 and 3, and re-enroll any missing (kept track of with a spreadsheet)

quite annoying, offline enrollment would be considerably better

This is the way.

> Having the backup key in a safety deposit box hardly accessible seems like a non-goal

It's absolutely a goal, since a PIN doesn't prevent your security key from loss, theft, or physical destruction.

I keep it in a secure separate location in case my house catches on fire.

I'm not sure if this is satire. You trust the "cloud" and whatever does the syncing to the cloud? I definitely don't trust anything that "syncs to the cloud".

I read their comment to be “I trust myself to lose a hardware key, but not a software key that’s backed up and synced across all my devices.”

That’s one way to look at it: passkeys are just a more convenient form of authentication compared to passwords. Although in my mind you’re arguably not achieving a whole lot considering the security bottle neck is still the same, being the login to your password manager.

I use physical Yubikeys so I’m a bit out of the loop here, but are there any methods for protecting your root password to your password manager in this scenario?

> I definitely don't trust anything that "syncs to the cloud".

What if you lose your device? Do you install alternate passkeys in a second device? Do you have to do that for every site and service?

I use KeePassXC, and I have backups, if that counts, at least for passwords/passphrases and TOTP.

do you have offsite backups?

I do not have any backups on any servers, I have them on other media that I have physical access to.

It doesn't matter as long as it's encrypted. Use rclone crypt and upload to whatever "cloud" you want

If it is encrypted (incl. the filenames), sure, but is it usually the case? If I do it manually, of course it would be, but all these modern "sync to cloud" solutions, I absolutely do not trust.