Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Not to mention Apple decided to make passkeys Airdropable. Fun.
I worked on a cool projected called FedID: https://fedid.me/ that creates a distributed identifier (DID) out in the world, federated with AvtivityPub, and gives you a key you can sign in with via OpenID Connect. It allows the DID to have multiple keys for multiple devices, and delegate authority, so losing a device/failure is no big deal.
That being said, Web passkeys can be stored in password managers, just like passwords.