Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Just don’t take away passwords + TOTP 2FA for those of us who are actually using it correctly.
lets just hold the line of “the answer is always username/password + second factor”.
could be username/password + totp…
could be username/password + passkey…
if someone figures out my password, i dont lose everything…
if someone steals my passkey, i dont lose everything…
even if i do use the same password for everything, the second factor has it covered.
(nobody will ever guess my password of ******** anyway!)