Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
If they can intercept my password despite TLS, they can probably also steal my session. I’ll grant that’s marginally less bad since the attacker would have to do their evil immediately if I log out when finished.
I’m going to disagree that passkeys really have multifactor authentication built in. The passkey is a single factor. If it is compromised (an attacker steals the private key), that’s all the attacker needs unless the service involved requires another factor like TOTP. The fact that it’s usually harder to steal the private key than a password doesn’t make it MFA.
I recognize the theoretical advantages, but my one attempt to use it (here, with Piefed) didn’t go so well, so I’m not eager to jump in with both feet.