I'm not a security expert, but I have an opinion on passkeys: I think we should stick to using them only for 2FA. At least for any site where the security really matters.
In my mind, a passkey authenticates the device, while the password authenticates you, the user. Passkeys let us limit which devices are allowed to connect with our credentials. A hacker in Eastern Europe could steal my login, but if their laptop isn't authorized, it makes an account takeover much harder.
(Side note: This is also why I'm uncomfortable putting TOTP codes and passkeys in the same password manager as the regular login credentials. It effectively defeats the whole purpose, turning multi-factor authentication back into single-factor again.)
It also feels like many sites are trying to either trick or gaslight me into moving over to a passkey. Amazon was successful in tricking me, and I’ve had to be much more vigilant since that happened.
Call me old fashioned but I distrust any form of authentication that is tied to a specific device.
I might be getting older but my memory is still good enough to remember a couple of secure passwords (secure, as in: 20+ chars long random strings), one of them being a password to my KeePass database, and the other to the email account where I keep a backup copy of it.
I would hate to be locked out of my accounts only because I lost my phone or Yubikey.
Passkeys are also incompatible with Free Software:
https://www.smokingonabike.com/2025/01/04/passkey-marketing-...
I think I have to agree. I spend my life across 2 macbook and 2 android devices and I now cannot predict which web interaction (or WPA) will ask me to use which device(s) to validate which association.
I have bitwarden on all of them. I can coordinate 2FA TOTP easily. I don't see passkey adding value right now, it's simply added an extra model, alongside the others, which doesn't even reliably work.
Given their non-migrating quality, I can't federate can I?