AFAICT, the flaw is that passkeys are tied to device security. If I steal a naive person’s phone at the bar, and if I can guess that their PIN is 1234, then I can get into their Google account.

The criticism is based on the idea that most non-techie folks are unlikely to use a strong PIN and are unlikely to set up strong biometrics. There’s a related criticism about malware being able to steal passkeys on PC-based systems.

If someone steals my phone and guesses my pin they already have access to my Google account because I'm signed in. To look at my email they just have to click on the gmail app. This "flaw" exists regrardless of password or passkeys

Won’t most people be logged into their Google account anyways? So if you steal their phone, and guess their PIN then you can just use the already logged in account.

What does this change?

Certain account changing actions cannot be completed without the password. But if you have the phone (session, sms, passkey), you can reset the password and it's off to the races.

If the person uses a password manager, same result. You have the phone unlocked, you have everything.

What are the odds that someone with a passcode 1234 is 1/ already signed into Google on their phone or 2/ has their Google password already saved in the device password manager (since it asks you to save it every time you sign in) which is also protected by the device pin?

At least in this case the thief has to steal the physical phone instead of guessing "password123" on the google signin prompt from the comfort of their home.

Also- how many non-techy people do you know that avoid using on-device biometrics? On my end, the number is approximately 0.

> What are the odds that someone with a passcode 1234 is 1/ already signed into Google on their phone

...very high? I don't understand how this is unlikely, pretty much every phone owner with a google account is signed into that account on their phone.

The point is that the odds are very high, i.e. if you've stolen their phone and know the PIN, you're very likely already in their account, passkey or no passkey.

Exactly. So they already have access to your email, passwords, and text messages regardless of the passkey

Don’t try to argue that on-device biometrics are a foolproof solution to this. Even at it’s best you can unlock a device from a sleeping (or drunk or naive) user which just brings us back to the same issue: already being logged in to a passkey service.

From the parent I responded to, emphasis mine:

> The criticism is based on the idea that most non-techie folks are unlikely to use a strong PIN _and are unlikely to set up strong biometrics._

On-device biometrics are typically _also_ used to unlock the device password manager, so my other remarks still apply. I bet a sizeable portion of the HN crowd also uses biometrics to unlock their well-configured password managers on their phone.

At least, that's what I personally do. Entering my very strong vault password every [lock duration] on a touch keyboard is already irritating enough; I'd rather just look at my phone to unlock my passwords when I need to use autofill.

Most people have _extremely_ weak device security. 0000, 1234, DDMM of their birthdate, etc, you probably cover the majority of people.

And none of that helps you when someone robs you of your phone and says tell them your unlock code or they’ll stab you. Now they’ve got all your passkeys too.

They also have your phone so they have text messages, email access, Google auth access, etc.

So yes it is true that your phone and it's pin/biometrics are ultimately the most important thing for security. But passkey on your phone is no worse than the previous state.