Passkeys are generally stored on something you have, and rely on something you know to unlock the vault, unless you choose to go with a biometric unlock instead.

It uses something on the computer like Windows Hello, or prompts you to insert your hardware token, or shows an QR code that you can use with your cell phone, or your password manager offers to fill it in. Depends where you store it.

Currently Firefox ONLY supports hardware tokens, and Google throws that nondescript error if you try to set it up without the token plugged in first. If your token is plugged in it should prompt for the pin and then store the passkey, however Firefox does not prompt for the pin every time so it only mostly works. Other browsers provide more options like a QR code you can use with a phone, and Firefox is working on them.

Like a pin, and say after some wrong attempts the entire thing is cleared. Oh wait, they can already do that.

Biometrics is one option. I prefer a pin that never leaves my local device.

If you mark your keychain as shared or not affects the way it is stored and the keys used to lock it down. It's actually documented quite a bit in their Keychain Security documentation.

There is a potential threat using Keychain Recovery. Less so from Apple or a court order given to them. Keychain is stored in such a way that Apple themselves cannot access it, unless they are lying.

See also: https://support.apple.com/guid...

And passkey support will be added in shortly as well.

Hardware tokens are not the only options. Cell phones have them built in (unlocked with PIN or Biometrics), some operating systems have them built in too. Password managers are adding support.

It supports 2-step authentication, their passkey support is nearly there but not 100% for hardware tokens (it never prompts for the token pin).

Firefox does not yet support the QR-code passkey option for people to use with their phones, so Thunderbird cannot either. Thunderbird oAuth still works fine if you tell it you want to use a password.

Thunderbird has used oAuth for years now, they do need to enable the passkey support that is already built in to the stuff they grab from Firefox.

You click the button to use a password instead and it works like always.

That's why it's biometric OR pin. Pins work fine to unlock these.

Biometrics are not required to use passkeys, she would use a pin or passcode.

You can register multiple passkeys. It's usually a good idea anyway in case you lose one. Password is also still there, you just hit "Log in a different way".

They can be hardware tokens, stored in the secure enclave on a cell phones (locked behind PIN or biometrics), computer using something like Windows Hello, or password managers like 1Password or soon to be Bitwarden.

Correct

Note quite, the dealers often have their own roadside assistance that costs more than AA/AAA/CAA (depending on where you live)

AAA is not expensive, but you are right. If you are going someplace remote, plan for it. And those plans had better include an actual jack that will take more trunk space than the piece of crap they ship with the car.

The jacks that come with many ICE cars are a joke anyways. I will never forget trying to change the tire on my friend's BMW only to have the jack fail. In the end I called road side who pulled out a real jack, fixed the tire and then asked "Why even bother trying to do it yourself?"