Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
You’re still transmitting the actual secret to the destination, so interception is a risk. Passkeys use asymmetric cryptography: no reusable secret is ever transmitted, only time-sensitive challenges that prove possession of the private key. Servers only store public keys, which aren’t secret by design.
Passkeys have multifactor authentication built-in whereas passwords do not.
Passkeys can be more convenient than passwords. My password manager has my passkeys. At login, my password manager raises a passkey prompt that I simply confirm.