Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Sure, they probably work great when you have your *passkey manager on the device, but that’s not when I need to have backup routes into my accounts. When using a new device, or someone else’s, having even a complicated password that can be typed or copied-pasted has way more functionality.
As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.
I can access my password manager via the browser from any device.
Can’t you access your password manager from a web browser? Or your phone?
Oops, meant passkey manager, fixed it.
Isn’t that the same thing? All my credentials & passkeys are in the cross-platform password manager available from all my devices & any web browser. Passkeys even have a cross-device flow, so we can just scan a QR code & use a phone to sign into anything.
Manually keying in a password just feels so boomer.
You could also use dedicated hardware to store your keys. Any FIDO USB key will do. I have a Yubikey that cost me less than 30 bucks.
It’s really handy, because I frequently use someone else’s device for work. All I have to do is plug it in, press the button on the key and enter the master password for the passkey storage. It’s like having a password manager on a USB stick.