Question on Passkeys

I am getting my head around passkeys. In general, they do seem more secure; however, being the pessimist and paranoid, it seems that there is a serious flaw to me when it comes to Data Breaches but maybe I'm missing something so...

I get each of your devices has its own private passkey stored on it and the distant end account (server) has a specific public key just for that device (both keys are encrypted). Very good and it does add much security here's what bugs me...

So, if my device is damaged, reset, or a new operating system formats and installs wiping away my keys or it's simply a new device, I can still access my account because I simply have to login using my password which is stored on the account/server and create a new passkey.

Now, when that server(s) has a data breach even though they will obtain only my public keys, which will do them no good, they still obtain my password(s) which is still the main problem I have now...since there have been 2 serious data breaches of different companies where my data also was stolen in the last 2 years.

I do see how it is great for other security problems like phishing but failed to see how this improves my chances concerning a data breach. So, do I understand this correctly or am I missing something?

 

@Brokor Thanks for the Yubico link. I heard about physical keys and will read the link. I think the problem is not all account support this...but we'll see.

 

Annnnnddddd, shut the machine down when done working, and a Yubikey or other fingerprint device to access on startup.
Treat everything as though it isn't secure, store vital things on physical non-attached drives only. Do windows updates when asked to if you use that system. Learn to use your firewall and use a VPN always.

 

Yeah, we just found out the mighty Fortigate is an easy hack if the console cable is plugged in. Like it is everywhere.

 

Question #1: So, if I understand correctly, what these Physical Security Keys do it replace the 2FA so instead of receiving a text message on your phone (or email) for your 2nd level of security, your Physical Key handshakes, via encryption, with the distant end account to provide access, comparing the encrypted keys. Right?
(Note: this seems to me to be an excellent idea as I have had my phone number spoofed about 5 years ago (no harm done but it was scary) or if you lost your phone or it gets dropped in the toilet or etc...)
Note: My statement is not exactly correct as some Physical/Hardware Keys can also act as Passkeys (Yubico 5 FIDO 2 allows storage of 25 passkeys) while also performing as a physical key 2FA protection so some can do both.

Question #2: Can you make an identical copy, an alternate copy, of your primary physical key in case you lose the primary? Seems that could be a real problem if it went through the wash or the cat thought it was a toy or etc...
Answer: "No, you cannot copy a physical security key to create an exact backup because the credentials are bound to the unique hardware of each key. The secure way to have a backup is to purchase a second key and register it with your accounts separately, using the same process as the first key." So, one truly needs to have at least 2 keys and register them individually both on any and all accounts...not exactly convenient but I get it.

Question #3: Recommendations for physical security, manufacture and model?
(Note: It appears Yubico is the leader, and I'm leaning towards the 'YubiKey 5 NFC' however it seems to me that a physically integrated pin-pad in case it was lost would add additional level of security.)

I take security very seriously and the first thing to do is completely understand it - correctly. Still reading...thinking physical key for my financial accounts...but don't think Fidelity supports yet but they do support Passkeys...