Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Isn’t this optional? I use passkeys and have yet to be asked for anything else in addition to it.
The passkey is only passed on with an unlocked device. So, if someone stole your passkey device, they can’t copy it and use it without unlocking.
I’ve only ever seen passkeys used as 2FA, personally.
Really? If I open github (for example) and select passkey login, I just need to press ok using Bitwarden.
Amazon always asked for 2fa and then the passkey pops up but doesn’t actually do anything other then tell me I have it enabled