> It just seems like I’m giving up on security by switching to passkeys, away from randomly generated passwords.
This is true for you, but the majority of people reuse poor passwords all over the place and do not have mfa setup.
For the average user, the risk of a breach on some poorly secured third party site is significantly higher than someone stealing their phone and cracking their passcode somehow.
If I conceptualise it as "your device unlock code is now also your master password but instead of randomly generated passwords we're using a key system actually designed for what we're doing with it" it makes a lot of sense.
Is it less secure than a Fully Correctly Implemented set of current best practices for sufficiently* paranoid geeks? Arguably, yes.
Is it more secure than what almost everybody was currently doing while also having the absolute bare minimum of friction to get the benefits it does provide? I strongly suspect so.
* I really do mean 'sufficiently' rather than 'excessively' here.
This is true for you, but the majority of people reuse poor passwords all over the place and do not have mfa setup.
For the average user, the risk of a breach on some poorly secured third party site is significantly higher than someone stealing their phone and cracking their passcode somehow.