Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
What am I dependent on to access by stuff if I use a passkey? A smart phone?
No, you can store them in a password manager. That’s what I do. Doesn’t always work though. Sometimes my browser is prompted for the passkey instead, for reasons I don’t understand.
But what do you do with your Passkey in your password manager if you have to login on another device (you don’t own)?
You use something else. Preferably TOTP.