Google passkey protection in Google Password Manager:

Question

Passkeys in the Google Password Manager are always end-to-end encrypted: When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices

Question: are this passkey protection keys unique to end user devices or to user accounts?

just a question for further understanding the concept of protection user's passkeys from unauthorized access while these passkeys are backed up to Google systems

Answer 1

When a user sets up a new Android device by transferring data from an older device, existing end-to-end encryption keys are securely transferred to the new device. In some cases, for example, when the older device was lost or damaged, users may need to recover the end-to-end encryption keys from a secure online backup.

To recover the end-to-end encryption key, the user must provide the lock screen PIN, password, or pattern of another existing device that had access to those keys. Note, that restoring passkeys on a new device requires both being signed in to the Google Account and an existing device's screen lock.

See https://security.googleblog.com/2022/10/SecurityofPasskeysintheGooglePasswordManager.html

Answer 2

Question: are this passkey protection keys unique to end user devices or to user accounts?

They are specific to the accounts. If they were specific to a device then a passkey created, encrypted, and uploaded from one device could not be used on another device that's signed into the account because the protection key would be different.