Why does losing my phone mean choosing between lockout and SMS fallback?
Opportunity
Passkeys eliminate passwords but introduce a fragility the FIDO2 spec does not solve: account recovery. If you lose your only enrolled device and have not pre-configured vendor-specific sync, you are locked out or forced back to SMS OTP, which re-opens the SIM-swap attacks passkeys were supposed to close. Apple, Google, and Microsoft each built incompatible sync silos, so moving from iOS to Android means re-enrolling at every service by hand. The WebAuthn spec defines how to create and use credentials but explicitly defers recovery to each platform. No vendor-neutral, cryptographically sound recovery primitive exists that preserves the original threat model.
Why it matters
Recovery is the weakest link in the passwordless stack, and solving it is the last mile that makes passkeys a viable replacement for passwords at scale.
How I score the opportunity
The Opportunity Score is my own read, not a measurement: how much it hurts, how often it bites, and how little exists to solve it today. Higher means I think it is more worth building.
How much pain it causes when it shows up.
How often people actually run into it.
How little good tooling exists for it today.
More problems worth solving
Why is the software we depend on most the worst to use?
TechWhy do I still own none of the data I generate?
TechWhy can I not get a receipt proving my data was actually deleted?
TechWhy can I not know if what is running matches what my SBOM declared?
TechWhy does every C2PA provenance chain break the moment content hits social media?
TechWhy can a regulator only catch a deceptive consent screen by reading it manually?