Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
I don’t know what to tell you. Multiple sites and services asked if I wanted to set up a passkey, every time I got prompted to plug my phone in via USB, and nothing happened when I did. At no point in the process did it give me a QR code or ask me if I wanted to set one up through a password manager instead of a phone. I didn’t do anything special or incorrect. I followed the normal prompts they gave me.