Theo does a pretty good job explaining passkeys here, with a nice primer on asymmetrical encryption (public key/private key)
If you’re a tech newbie, it might be an interesting view.
Discussion
What’s your opinion of Passkey vs. 2FA (password plus physical token).
I’m skeptical of passwordless Passkey, but want to hear other opinions.
I consider them less secure than non-synced 2FA codes in an app,
Which I consider less secure than an air-gapped device like a Yubi.
I do use them though, for accounts I consider less secure. For instance, any company that requires a SMS backup for 2FA, you might as well use a passkey because it’s more convenient and you’re only as secure as SMS anyways.
Only thing that bothers me is that we've always had it. FIDO. But now (arguably) big tech funded the name change to "PassKey" and required platform authenticators and device information, aka the zero privacy version of WebAuthN
My understanding is that “PassKeys” can be shared between devices (via your OS account). Defeats the purpose of a hardware-based authenticator