Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
I’m still mad SQRL never got off the ground. It was smartphone based initially, though they quickly made it work in browser. You had a private key that was ‘you’ and it generated unique user assertion certs per domain, and you completed the login flow by scanning a QR code with the app, which pinged a URL with the user assertion. It was really cool since it had the option of working alongside a password, or you could set it to only work with SQRL logins. No password or anything for the login, just pure math and key material.
But given it put all recovery on the user (if you didn’t back up your shit, it’s fine if you lose it), I can’t say I’m that surprised.