Passkeys only encourage the need for a password management tool, which is funny because if everyone had password management tools to begin with then we wouldn't need passkeys.
Passkeys still protect you from additional things that password managers don't protect you against:
1. Your credential can't be phished as it's cryptographically bound to the domain. You could stil be tricked into entering your password and TOTP into a malicious website.
2. Your credential can't be leaked by sloppy servers as it's public key crypto. This makes your security not depend on believing the website your logging into does proper password hashing and doesn't accidentally log password in plaintext.
Most password managers tie credentials to domains. In fact, this is a good indicator of possible phishing attempts when your password manager doesn’t offer to auto-fill your expected credentials.
True, the technical aspect of passkeys does that. But in practical Apple and others want to heavily push for the smartphone as that tool, because it locks people further into that system.
> Passkeys only encourage the need for a password management tool
The dependency on a password management tool.
Be it Yubikey or Apple secure enclave or whatever, it's a shit piece of hardware that will eventually break. Have fun replacing all your credentials at the same time when your phone dies.
