Article discussing the push for passkeys as an alternative to passwords, including numerous problems associated with passkeys like big companies agenda, complicated proprietary implementations, vendor lock-in requirements and dependency on smartphones, dubious value for ordinary users, and misplaced purpose and value, hype and security, lax IT practices and constant private data leaks, psychological reasons why modern Web and email are interactive and phishing-prone due to profit-driven design, wrongness of clickable links, practice of information-only communication, severe implications for privacy and freedom in so-called modern solutions, some other observations, and more
Passwords can be secure when the end user picks a strong one. But that is the biggest problem with them, the end user. They don’t pick good passwords and decades have shown us the general public are bad at passwords.
Passkeys are not biometrics. They are much simpler. In a very simple way you can think of them as a secure long random password that is stored on you device, generated per device, and not sent over the wire to the other side (so more like public/private key cryptography I believe).
The passkey on your device can be stored in an encrypted vault or even secure hardware that requires a pin/password or key to unlock.
They are not getting rid of multifactor codes and can be used with them. But by protecting them locally you can still have 2 factors to access them - the hardware/vault that contains them and the pin/password/biometric that unlocks the vault. And that is in addition to server side multifactor systems.
But even without all that you still gain massive benefits over passwords as it stops cross site comprises when one sites gets their password database leaked. Or brute forcing access to systems by guessing weak passwords that most people use.
deleted by creator