Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Perhaps he means the process of setting it up. Or when it doesn’t work. Or when passkeys are lost. Or using another device. A lot of people’s complaints about passkeys aren’t really about when it works.
It’s valid I think, but also some people forget passwords can have similar experiences. For one, there seems to be this idea that if you lose your passkey you get locked out of your account forever. The recovery process should be no different than losing your password.
I could see that. I’ve only found a few in the wild (mostly just enterprise, niche tech-related, and big platform web apps) but there’s probably some clunky implementations out there I haven’t suffered through yet.
True, plenty in this thread even. IIRC there’s usually a recovery key process same as a typical authenticator MFA, sometimes other routes in addition like combining multiple other MFAs or recovery contact assignment. Regardless, completely losing PW manager access across devices would presumably be the more immediate crisis for most.