Confused about safety of passkeys vs OTP
I keep getting reminders on various sites that I can switch my use of Android authenticator 2FAs to a passkey. I just set it up for one site with my Android device and if I understand correctly, Google has full control over the passkey?
What I usually do is that I store username & password in my browser's password manager which is also backed up by Google. I now use an Android authenticator app that does NOT back up it's secrets anywhere. In this way, I feel confident that even if an attacker compromises my Google account, he still can't log in to services where I've configured the 2FA.
With a passkey that's also under Google's control, doesn't this make it so that if my Google account gets compromised, an attacker has full control over all accounts because he'll be able to get my saved passwords AND have access to the passkey? Or am I misunderstanding something?
