Security keys (i.e. "roaming authenticators" in WebAuthN language) have significant practical usability and availability downsides.
> "But what if I lose it?" questions can be answered by Technology Connections' favourite: The magic of buying two of them.
And the magic of having to access both of them every time you create a new account anywhere, which probably means you'll keep them both close by – increasing the availability risk.
A more realistic recommendation would be to use an open source FIDO backend such as Bitwarden or Strongbox that let you cross-platform sync and, worst case, export your credentials if the vendor goes down a bad path.
Sure, if you trust Bitwarden but not Apple, you can, as I had assumed was obvious, use Bitwarden's Passkeys and not Apple's.
Personally I would rather have Security Keys, and there are going to be plenty of people like me. Yes, if you need a physical object as an authentication token you will sometimes need to have that object with you, I also thought that went without saying, but it's true in case it wasn't obvious.
Signing up for new accounts which deserve a separate meaningful identity (like a bank account, or a Youtuber's account, or GitHub maybe) is not a common occurrence, in the time since I last got a new Security Key I have added let's see, zero new accounts, so I had to add that key to all the existing accounts, at work and outside, then nothing.
> "But what if I lose it?" questions can be answered by Technology Connections' favourite: The magic of buying two of them.
And the magic of having to access both of them every time you create a new account anywhere, which probably means you'll keep them both close by – increasing the availability risk.
A more realistic recommendation would be to use an open source FIDO backend such as Bitwarden or Strongbox that let you cross-platform sync and, worst case, export your credentials if the vendor goes down a bad path.