Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Everything you said is correct, but you misunderstood my point. I was referring to the fact that Google/Apple/whatever would hold your private key. In practical terms, it is barely different from the existing “Sign in with Google/Apple/whatever”.