[4ad]

If you use a software-based password manager, passkeys are indistinguishable from passwords both from a UX perspective and a security perspective.

If you store passkeys in hardware, then yes, passkeys are more secure, but you lose portability.

[javawizard]

> If you use a software-based password manager, passkeys are indistinguishable from passwords both from a UX perspective and a security perspective.

That's not correct. Passkeys use public-key cryptography and a challenge-response authentication mechanism, so an adversary in possession of a read-only copy of the database of the service you're trying to authenticate with won't be able to authenticate as you - which is very much a security improvement over passwords, even when both are stored in a password manager.

[AnonC]

> an adversary in possession of a read-only copy of the database of the service you're trying to authenticate with

True, but GP is referring to the private key on the (user’s) device or computer being stored in a password manager. The main protection that passkeys offer in such a case is that there’s no case of passkey reuse across services and accounts, which is something that’s possible with passwords even if one used a password manager (albeit poorly by not generating unique passwords for each account).

[stavros]

This is wrong, as a MITM or keylogger can't steal a passkey, while they can steal a password.

[AnonC]

Since the passkey is the private key in the private-public pair, if it’s stored on a password manager it can definitely be stolen by malware (if you could have a key logger, you could have something else too). The only solution is to have the passkey (actually private key) reside in hardware or be protected by dedicated hardware.