Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
That sounds great, but also isn’t a solution for most people.
True. But most good stuff isn’t a solution for everyone. It takes real effort to escape vendor-lockin. Bigtech made sure of that.
If something is too simple to set up or requires no set up, or comes from a for-profit company, but doesn’t cost anything, then it always suspicious.
I am just saying that the issue is not with passkey itself, but the individual implementations and that google/twitter/etc. is pushed towards regular users.
Critiquing passkey because vendor-lockin is like critiquing HTML for allowing ads.