Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
I use them with bitwarden and a self hosted vaultwarden. If my phone breaks, no issue. If my server breaks, I got local backups… Keys are stored encrypted in a postgres database for which I have access, if I need to restore it. No lock-in issue or risk of loosing access when one or two devices break.
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
They were surpassed by password managers and 2fa.
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.