[ivlad]

Nope. Non-resident keys work differently. You register the public key with the service, then you encrypt the private key (via wrapping but that’s beyond the point here) with private key stored on your hardware token and send the encrypted blob to the service, too.

When you need to authenticate, service sends you the encrypted blob, you decrypt it using the key on hardware token and obtain the private key. Than you do (more or less traditional) public key authentication.

So, you don’t need to manage your private keys. Services do it for you.

[taeric]

The point is many players are trying to find ways for your private key to be portable, too? Yes, it is a basic public key share to the services you are authenticating with, but it is how to maintain convenience at the user's side that is posing difficulties.

Indeed, the first real criticism in the post is "For example, if you create a passkey on your iPhone, it easily syncs to Mac devices but is incredibly difficult to use on a Windows device." It is the private key that they are syncing to all of your devices. And they do that for you because they control all of the places that they sync.

I think you can make the case that they should not sync this off device for you, but then you are in the "what happens when my device is lost/broken/stolen?"

You could also argue that they should let you export the key. But then you are back into the "credentials are easily stolen."

[protonpass]

Proton Pass allows you to export and reimport passkeys. An industry-wide standard for exports is not yet finalized, but as soon as it is, we'll support that too.

Regarding passkey implementation, it's up to individual websites whether they use passkey or passkey + 2FA, etc..