Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
I’ve only ever seen passkeys used as 2FA, personally.
Really? If I open github (for example) and select passkey login, I just need to press ok using Bitwarden.
Amazon always asked for 2fa and then the passkey pops up but doesn’t actually do anything other then tell me I have it enabled