Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
I’m still annoyed that “OPAQUE” never seemed to catch on. Uses a username/password combo as normal, but never actually sends the password to the server, only a proof of knowledge. Even if the server is hacked and the DB leaked the attackers can’t actually recover anything resembling a password from it, since the server simply never possesses it.
Passkeys are superior (No password at all), if only the UX around them was better.
I’m still mad SQRL never got off the ground. It was smartphone based initially, though they quickly made it work in browser. You had a private key that was ‘you’ and it generated unique user assertion certs per domain, and you completed the login flow by scanning a QR code with the app, which pinged a URL with the user assertion. It was really cool since it had the option of working alongside a password, or you could set it to only work with SQRL logins. No password or anything for the login, just pure math and key material.
But given it put all recovery on the user (if you didn’t back up your shit, it’s fine if you lose it), I can’t say I’m that surprised.