I admit that passkeys have never made sense to me. You still have a username and password, but you’ve added a middleman who manages the password. Why not just use a password manager (without MFA, another useless annoyance)?

If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.

Amazing article. Lots of great inside baseball. I’m a big proponent of hardware security keys, the whole pass key thing didn’t make sense to me. Especially the resident keys. If you user workflow is terrible, nobody is going to use them. Which is even worse than not existing