Yeah, the phone stuff is really an edge case for people using something like a work device to access a person account. I’ve tested it but almost never use it.
The public comms around this capability has been terrible, at least towards a technical audience. It all focuses on the "key stored on phones with proprietary OS" model, completely hiding how it actually works. I'm sure that's fine for a general audience, but as someone who doesn't trust these big companies with my whole life, it's an extremely repelling message.
Like the very first sentence on the official passkeys website is, "A passkey allows a user to sign in to apps and websites with the same process that they use to unlock their device (biometrics, PIN, or pattern)." I don't use any of those methods to unlock my Linux laptop! What does unlocking my personal device have to do with logging in to websites? Is it reading my /etc/shadow? What's going on here?? Just terrible.
Oh, it's just a keypairing system. Okay. Why don't they just say that?? How you unlock the private keystore is just an implementation detail, not an inherent property of passkeys.
Thanks again for the Bitwarden link, I'm going to play around with it this weekend and see if I can figure out how it actually works without all the offputting, misleading marketing speak.
Update for anyone who stumbles across this: I've found passkeys are still not ready for prime time :( I tried creating one in Google with Firefox, but apparently they don't allow desktop browsers to create passkeys. I tried setting up Bitwarden to manage local passkeys, but it requires an account on their cloud services or a bunch of work to set up your own local cloud service, which I'm not going to do. Sigh. I was excited to try this, but passkeys are clearly not aimed at people who want to own their own data.
If passkeys are too complicated for me to figure out, I don't think they have any hope for the wider public.
