[jeroenhd]

> The idea of passkeys is that they are supposed to be tied to a hardware device.

No, not really. That was more of a U2F/WebAuthn concept. Passkeys are intentionally permitted to be attached to accounts.

You can use hardware bound tokens as passkeys if you prefer, of course. However, that approach has led to a huge amount of people getting locked out of their accounts because they lost their Yubikey or reset their phone.

There are implementation improvements to be made, for sure, especially on Windows. However, that same 75 year old also won't know to look in Edge's password manager when Bitwarden says it can't find a password for a given website.

And let's be honest, that 75 year old won't be using Bitwarden or a password manager anyway, their password will be NameOfGrandkid2003 despite being told to pick a different one after the last time their account got taken over.

I wish I could use passkeys more often but when websites offer 2FA of any kind, it'll be through TOTP, and usually without providing any recovery codes either. TOTP and email+password aren't going away.

[karel-3d]

I thought Webauthn IS passkeys! It's a different thing...?

I thought Webauthn is a U2F continuation that uses them for both 2FA and login... and the login thing is called "passkey". It is not?

(I implemented U2F 2FA before and still cannot figure this out.)

[jeroenhd]

Passkeys are the name used for FIDO2 authentication flows for normal people.

WebAuthn is the JavaScript API to access the USB devices speaking U2F to the browser.

FIDO2 extends the WebAuthn API by also offering to store security tokens inside of a device's TPM, by using CTAP2 to authenticate with an external device or service, or by using good old U2F. If you're implementing it, you generally only need to deal with the WebAuthn side, the browser will take care of the rest.

You can think of Passkeys as "WebAuthn 1.1". Names like WebAuthn and U2F don't exactly attract the general consumer, so they rebranded it. The same way websites used names like "passwordless logins" when trying to describe WebAuthn+U2F, expect "passkey" seems backed by larger companies.

If you've implemented WebAuthn correctly (I doubt you actually interacted with the U2F API directly), you've also implemented passkeys.

The naming is rather confusing, mostly because a lot of websites used the wrong name for the wrong part of the process. Luckily, almost nobody acfually knows what the hell a WebAuthn is, so passkeys are the introduction to the whole stack for most people.

[cycomanic]

Just a side note my 80 year old mother uses Linux with keepassxc and has generally more secure processes than many software developers I know (who often use very simple passwords, share them around freely...).

Just to say that we should be careful with our generalisations (I know you didn't start this one).

[Biganon]

Why should we be careful? Not trying to troll here, but your mother being an exception to the generalization doesn't mean the generalization is wrong. Nobody said 100% of old people had bad security habits.