Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Better title:
Passkeys: still trying to explain why it’s worth the hassle when it isn’t
There’s a hassle?
Every time I was prompted to use one by plugging my phone in to my computer nothing happened. That was a little over a year ago.
It’s been a very seamless experience with Bitwarden. Pretty much “click passkey, now logged in”.
The eco-system lock-in makes this a non-starter for me. If I could store the private keys in something like a keepass vault (or that) and do the authentication magic from that I would consider it.
You can? At least I do that. I host vaultwarden myself and store the passkeys there.
Passkeys to me are just a better way to autofill in login data.
