Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
They’re device-bound certificate based authentication with some shiny bits.
Or they’re portable-via-certain-services certificate based authentication with some shiny bits.
Either way they’re new and try explaining that the user needs a new one for every device (or needs a new app to carry them around in) and that if the device dies, or the app dies, they lose it all. I have quite a few people in my life who can’t wrap their heads around using a password manager.
Personally, I find them irritating. My chosen password manager on iPhone doesn’t support them, so I need to have the iOS password vault turned on (yes, this is a dark pattern Apple has created to try to increase adoption of their password vault) to use them. Adoption needs to be much higher, interoperability needs to be better, and they need to put back the hint for which vault to use (which was removed early on to keep Microsoft and google from forcing chrome/edge vaults, but has the actual effect that chrome/edge tend to win the race over other options and means that the passkey prompt might be for a different app than the one that you prefer, leading to further user confusion)
I mean, I wouldn’t mind if I could use my flipper for it, but the big issue is “if flipper break get fucked.” I can back up my .kdbx file in 14 luks encrypted locations, I can’t backup a whole ass flipper as easily.