[lxgr]

Passwords can be both stolen (they are valid for multiple authentications) and are susceptible to phishing/MITM attacks.

TOTP/HOTP solves the first problem by making the credential provided during authentications single-use, but they're still susceptible to phishing/MITMs (since you don't know where you're entering your OTP).

WebAuthN solves both.

> What happens if i lost all my devices due to a fire?

Passkeys are synchronized to your device ecosystem vendor by default (i.e. Google or Apple, and soon also third-party password maangers on Android), for better or worse.

[garganzol]

> Passkeys are synchronized to your device ecosystem ... and soon also third-party password maangers on Android

And at that point they make a full circle becoming just passwords with a master password. Essentially what password managers already do. You already can tie a master password to a biometric or another factor.

[lxgr]

Not quite: Passwords are long-lived bearer tokens, which can be phished/MITMed (exclusively using auto-fill helps, but non-technical users are still prone to be phished) and are administratively harder to securely manage on the backend of the relying party.

[JohnFen]

> Passkeys are synchronized to your device ecosystem vendor by default (i.e. Google or Apple, and soon also third-party password maangers on Android)

That's a showstopper for me, personally. Not saying the idea is a bad one (at all!), but I won't be using it for myself.

[lxgr]

Me too – I'd much rather trust my password manager, so I'm hoping that platform/browser APIs will eventually become available that will allow such third-party implementations. (Android is planning to; iOS hasn't stated anything yet.)

Even then I would probably not add my bank credentials or other high-sensitivity things there.