Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
That’s the root of the problem. Nontechnical people don’t use good passwords, but all the ideas we have for replacing them are only usable by more technically minded people.
There are a variety of other reasons why passwords are bad, though.