Again, a reminder that this is an across the board terrible awful idea.
It's all the dangers of 3rd party passwords - namely, before you had two parties, now you have three and thus inherently less safe - but worse.
Now, it's just even HARDER for you to control your own keys to your own stuff.
There's one and only one reasonable way to execute this, and that's to include huge liability for the 3rd parties. Unless they'll pay up or otherwise fix in the event of a breach, this is a non-starter.
I don't understand your concern. How is it more difficult to control the keys? Why is it less secure than 2fa solutions?
Every worry I've heard about passkeys can be leveled at 2fa schemes as well. The upside of passkeys is they can't be phished, can't be revealed in data breaches, and can't be forgotten. What third company is involved? Are you thinking about syncing services? With the exception of Linux (for now), you can have passkeys enabled on any modern device. It is just public/private key sharing right?
A bad actor would have to have your device and be able to unlock it in order to get access to your accounts secured with passkeys. Every time passkeys are mentioned on HN the FUD starts flying and people lose their minds. Passwords are terrible with many weaknesses. There isn't perfect security, there are always weaknesses but I have yet to be shown how passkeys are worse than passwords for typical users.
My specific concern is the "tied to a device". The only devices that seem to support the keys are proprietary devices, that only offer to backup the passkeys to their proprietary services.
I can't see myself using this unless I can store the passkeys in my own keepassx (or similar) system, that I can manage 100% the backup, replication + storage of myself, without any assistance from a 3rd party.
Oh come on. You can CHANGE passwords. That's the the point.
Passwords are safer not because they're bulletproof. They're safer because they fail elegantly. You can't change biometrics and that's why they're definitely worse. They might be acceptable as one of many factors, but they're absolutely the worst idea for a primary.
I think it’s a nonstarter because the n00bs and n0rm1es will have no idea what to make of it, and will quickly go back to passwords because they just work predictably.
To me it reeks of something that looked great, when you show a room of engineers. But for regular people?
Perhaps, but I recently added passkeys for Apple and Google accounts and the actual enrollment process and login didn't feel much more complicated than using the built in password manager for Chrome plus Touch or Face ID which people are already familiar with.
That itself may be too complicated for some but it essentially was a few automatic prompts and instructions to scan my finger to login after it was done.
It's all the dangers of 3rd party passwords - namely, before you had two parties, now you have three and thus inherently less safe - but worse.
Now, it's just even HARDER for you to control your own keys to your own stuff.
There's one and only one reasonable way to execute this, and that's to include huge liability for the 3rd parties. Unless they'll pay up or otherwise fix in the event of a breach, this is a non-starter.