My understanding of Passkeys used to be that they were hardware-bound, so stored in the system’s TPM, Secure Enclave, whatever. Somewhere they can’t be retrieved. As soon as I realised that wasn’t the case I lost all interest in Passkeys.
Why would I bother when it’s basically just a password? Some services I’ve seen dangerously accept it as a form of 2FA, when it’s anything but.
One key difference is that it's not anything like a password.
With a password, you send your password to the server and hope it's not intercepted or stored in plain text.
Passkeys are more equivalent to the server sending you some random data and asking you to sign that data plus the server url with your private key. Then the server can check it against the public key it has to verify you possess the correct private key. It's both phishing and replay resistant.
This is correct. There are two types of passkeys: device-bound and synced. You can choose whichever credential manager/authenticator that supports your needs.
Why would I bother when it’s basically just a password? Some services I’ve seen dangerously accept it as a form of 2FA, when it’s anything but.