[landmass]

Curious about how Passkeys work at the website level. Passkeys strikes me as essentially an authentication method.

1. Signing up or logging in to a website today you'd expect your password to be hashed, stored, and protected. (I understand some are stored in plain text, but that isn't part of this question.) Assuming you want to change over, or create a new account, to passkeys, how do they store and protect that account?

2. Assuming you're still using a password manager for the foreseeable future, does it make sense to use passkeys to access that? IIRC, most password managers will use your password/passphrase (plus a lot of processing) to encrypt your vault. Even if you authenticate with passkeys and gain access, how do you decrypt your vault without your password/passphrase? It's clear that authentication does no good if your vault is already sitting on the black hat's desktop, as LastPass discovered, so a basis for encryption is still required. It appears to me that anything that requires an encrypted holding will still require passwords/passphrases.