Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
It’s the never ending battle between what’s secure and what’s practical. In order to have widespread adoption, it has to be easy. In order to be secure it requires layers of complication.
It’s a yin/yang battle.
A bank vault with walls 2 feet thick, 24/7 surveillance and requiring a two key unlock mechanism is secure compared to a house door lock on a regular suburban bungalow, but is it very practical?
The level of digital security generally attainable is limited by how likely someone is to use it.
2FA using keys is the closest I’ve seen to a happy medium, but it has to be implemented correctly. If the private keys are sitting on a cloud server somewhere and it gets hacked, is it more secure? Maybe not.
Just like real defence, the walls are only as good as the foundation or weakest point.