Migration away from password

There are a few different questions here, so I'll try cover all of them 🙂

1. After a passkey is added to an existing account, it's up to the individual service how they want to handle the user's password. Completing deleting it from their database and no longer accepting it is the ideal long term goal, but may not be feasible in the short term in every case, as users may still have devices running OS versions or platforms that don't fully support passkeys yet. As examples, services may consider which devices the user is regularly signing in with before prompting to delete the password, or freely offer the choice to the user to delete their password when ready. Given that passwords are significantly less secure than passkeys, services in this situation may also decide to put additional protections in place, such as requiring use of the passkey from supported devices, or requiring additional factors when falling back to the password.

2. Account recovery is outside of the scope of passkeys, similar to how it's outside of the scope of passwords. However, because passkeys are guaranteed to be backed up, synced, and managed by devices, recovery for accounts using passkeys is likely to be a much less common scenario. Because of this, services worried about recovering being the weak link may decide to make it a higher friction flow than the common link-in-email flows today.

3. Passkeys derive much of their security benefit from being managed by devices, including physical proximity of those devices - which protects against remote phishing. Because of this, you do need a device with the passkey with you in order to sign in with it.

That adds significant clarity, so thank you!