Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
The only MITM attack I’ve seen is entering codes before the user does. That’s not breaking TOTP in any meaningful way (which is what I was trying to get at), so it would be similar for password entry or even passkeys if they have sufficient control over the device or network to essentially do a replay attack.
I’m basically saying that generating codes with TOTP and passkeys are a similar process and are subject to similar threats. Passkeys are slightly better since codes can’t be generated independently, but AFAIK that’s not a significant threat for TOTP anyway, because if they have that level of control, they already have your data.
The choice between TOTP or passkeys is not a significant one, if your provider offers one or the other, your account will be reasonably secure. If your TOTP solution is built in to your password manager, it’s basically the same thing so you should probably prefer passkeys.
Keep in mind, still discussing the underlying fundamentals and not the user experience.
MitM attacks are frequently covered in white hat hacking, often after an actual event takes place. It is considered a third party attack, and it does break trust. It is a security threat, and to claim it doesn’t count is absurd. I’ve seen a few reports personally from internal, but I’m not at liberty to speak specifics about them. On the topic of replay attacks, TOTP is vulnerable, but passkeys are not (yet, I’ve seen people try though). This isn’t the only type of MitM attack, and, again, both are somewhat vulnerable.
TOTP is nothing, nowhere similar to passkeys in any way. You do NOT generate codes with passkeys. Passkeys are a form of public/private keys that are used to create a challenge/response request and used to generate a digital signature. The keys are not passwords (aka “shared secrets”). Digital signatures are also not passwords. The only other thing I can think you mean by “code generation” is that you’re using it as a generic catch-all, but that happens with…well everything (even passwords), depending on context.
I don’t want to sound too much like a die hard passkey fan - and you are right - passkeys are extremely overkill if you use anything above a plain old password. In some cases, layered security can be just as effective. The problem is that most people do only use plain old passwords. If we can get any kind of extra security, even TOTP, then all the better. There are also some cases passkeys are not feasible, so it’s good to have alternatives.