In my limited understanding, they are similar to SSH public/private key pairs. But the details continue to elude me, no matter how much I read about them. Won't try them out until I get how they work.
It’s that, except the OS manages the private key (in a “secure enclave”). So you, the user, (or malware), never get access to the private key.
The second crucial part is that these private keys are cloud synced. This means that the average Joe doesn’t lose their passkeys when they lose their phone. Get a new phone, and it will sync your passkeys and you are back. For people in the Apple ecosystem, it really is a straight upgrade over passwords.
Where it sucks:
- I’m not comfortable trusting a big vendor with the keys to my digital life
- I only have one device, so when I lose that device I’m locked out till I get another
- I want to use my own password manager to handle passkeys
- I am in multiple big vendor ecosystems
- I want to export these private keys (this one is sort of coming, the standard has been defined to allow export and import, but again in such a way that the user (or malware) cannot access these private keys)
Thanks for the explanation, it was very clear. Especially the bit about never being able to see your own private key. Ok I get it, it's to prevent malware from doing the same, but it still vaguely distasteful.
My understanding: It's like a yubikey (a device that lets you login securely) but using a similar protocol without the hardware. "Virtualized" in other words. Unfortunately susceptible to poor self-serving implementation UI by greedy vendors.
