But the third parties actually have no access to your passkeys. The passkey stored are end to end encrypted blobs. So even if anyone gets hold of it, its useless. But a password for instance when leaked from 3rd party can be used easily as the server will have to decrypt the password at one point. So the means to decrypt the password will be at the server but passkeys aren’t like that. The private passkey can be decrypted only on your device for signing the challenge. Basically your exposure was basically halved.

Today we use lots of accounts with unique passwords. Obviously these passwords have to be stored somewhere. So I disagree with you when you say it’s a unique passkey thing.

Passkey has an advantage when it comes to phishing because it doesn’t totally rely on human intelligence or state of mind.

From a personal experience my data was leaked online, not because of phishing or I was careless. but it was leaked from a well known third party site which I used. They were affected by a very serious breach. Many unlike me use the same passwords for their emails and stuffs. But in case of passkeys there isn’t a shared secret. A breach will be useless.

Thank you… and Yes you are right… There could be many reasons like greed or could be risk management if you think from both ends of spectrum. It’s sad actually they are developed on the same FIDO2 but insists on being seperate which is weird… Also they feel that regular user wouldn’t be able to set up FOSS passkey provider or may be they lose control over encryption if they share with third party.

You just need to memorise the PIN at max. If your device has biometric recognition you could even use your face scan or fingerprint so even remembering a PIN is not needed in that case.

Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.

Yep… It’s as secure as your email. Or they are just leveraging the passkeys on the emails.