[goosejuice]

I'm a fan of passkeys because I don't have to store sensitive info. It's just a public key and I don't need identifiable info from the user. That's a super nice option for some niche low stakes software.

Unfortunately that breaks down when someone doesn't set multiple keys as backup and gets locked out. Then you're right back to password/backup code or some kind of recovery to email or phone. Chances are people just store their backup codes as plain text too. They also break down across desktop/mobile, e.g. register on desktop then try to log in on mobile. Not everyone has a good sync solution here, especially the non technical.

Honestly all the solutions have trade offs in UX/security/privacy and dependency on third party services. The best solution is going to be highly dependent on the business.

[Gigachad]

The sync situation is a bit of a mess but it's getting better. Personally I use 1password and everything is synced everywhere effortlessly. But if you are a windows user without a password manager then you are probably best off just using your phone and the QR code scan flow.

The UX issues of Passkeys can and are being fixed. The issues with passwords are unfixable.

[goosejuice]

> The UX issues of Passkeys can and are being fixed.

I don't see any solutions to the recovery problem that doesn't introduce another login mechanism. But as a primary method the UX is pretty good for the technically literate.

[Gigachad]

It should be relatively hard to get locked out. Keys are synced to all of your devices so you'd have to lose everything at once.