Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Today we use lots of accounts with unique passwords. Obviously these passwords have to be stored somewhere. So I disagree with you when you say it’s a unique passkey thing.
Passkey has an advantage when it comes to phishing because it doesn’t totally rely on human intelligence or state of mind.
From a personal experience my data was leaked online, not because of phishing or I was careless. but it was leaked from a well known third party site which I used. They were affected by a very serious breach. Many unlike me use the same passwords for their emails and stuffs. But in case of passkeys there isn’t a shared secret. A breach will be useless.
I think you’re making my point. First, you’re right that passkeys can’t be phished. But access to the passkey manager can be. And now you’ve doubled your exposure to leaky third parties, once with the service you’re accessing and another with the passkey manager.
But the third parties actually have no access to your passkeys. The passkey stored are end to end encrypted blobs. So even if anyone gets hold of it, its useless. But a password for instance when leaked from 3rd party can be used easily as the server will have to decrypt the password at one point. So the means to decrypt the password will be at the server but passkeys aren’t like that. The private passkey can be decrypted only on your device for signing the challenge. Basically your exposure was basically halved.