Passkeys aren't immune to phishing. And they are susceptible to being lost. I say that as someone with two.
Worse, they aren't accepted everywhere. And often places only let you have one registered. :(
So, yes, I agree that they are a solution. I don't know that I feel much safer using one, though. And, at large, I can see how they are not much different to passwords. Just ones that you can't speak others easily.
Are you sure you’re referring to passkeys like passkeys.dev? The new Web standard?
It builds upon WebAuthn and physical keys but is slightly different and on track to be supported by major platforms.
Sounds like you’re referring to something like YubiKey, it’s hard to lose device associated passkeys.
How would you phish it? The challenge response mechanism contains the requesting origin so it’s berry difficult to phish it out given up to date browser.
You are correct I meant yubikeys. I'll have to look a bit more at this new thing.
I confess right now it isn't impressing me. Is sounding too magical in a "it just works" way. With no real explanation of how.
It hurts that it sounds tied to a device. I stopped using some authenticator apps after I lost access to a ton of stuff when my phone broke.
As for phishing, this seems like a mitm would still work better than you'd expect. Folks get really good at ignoring warnings and such. Especially under duress.
Worse, they aren't accepted everywhere. And often places only let you have one registered. :(
So, yes, I agree that they are a solution. I don't know that I feel much safer using one, though. And, at large, I can see how they are not much different to passwords. Just ones that you can't speak others easily.