Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
They were surpassed by password managers and 2fa.
Technically they are the 2fa. The second factor is something you have. I store all my passkeys in my password manager too, so I’m not faulting you, but technically that’s just undoing the second factor, because now my two factors are “two things that are both unlocked by the same one thing I know”. Which is one complicated factor spread across two form fields.
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
All of the modern browsers have built in password managers so I doubt that very much.
Are they as secure as your self-hosted bit warden that is not accessible via the Internet? No.
But it does still keep track of your usernames and even alerts you if you have a breach.
Lack of adoption doesn’t really make password managers a workaround. What’s being worked around? People’s laziness?
Password managers actually do solve the phishing problem to an extent, since if you’re using it properly, you’ll have a unique password for every service, limiting the scope of the problem.
Putting TOTP 2fa codes in your password manager behind the same password as everything else actually destroys any additional security added by 2fa, since it puts you back to a single auth factor.