Passkeys are a mystery, and no one bothers to explain what they are, what it means, how it works, what to do, what to avoid.
I'm not an average user - MA in Mathematics, Ph.D. in Computer Science, 27 years of experience as a developer. I have a vague idea that a passkey is like a password, but you don't see it and don't type it and it's stored "somehow, somewhere."
I can't make much sense of that. How is an "average user" suppose to make sense of that?
When I try to find out how passkeys work, I get some incomprehensible gibberish about self-signed certificates, public/private key pairs, challenges, and on and on. In short, a Monad is just a monoid in the category of endofunctors of X, with product (X) replaced by composition of endofunctors and unit set by the identity endofunctor. What's the big deal?
Since any device that stores a passkey can be lost or destroyed at any moment, I assume any passkey can be lost at any moment, and there had better be a way to recover from that. Is there? Who knows.
Passkeys are designed to be hidden from the user. The author of this article even went on GitHub telling an open source implementation to not let users copy the private key.
https://github.com/keepassxreboot/keepassxc/issues/10407
There is a good reason for it. If you can copy and paste your passkey, then a phishing site can just ask you for it, making the phishing protection passkeys provide moot.
But the consequence is people, including many technical users on this website, cannot get a grasp on passkeys both as a concept and in a literal sense. How can you perceive, let alone understand, something that is designed to be hidden from you? It also doesn't help that it was pushed on users with little explanation and comes with many seemingly incompatible implementations.
Unless passkeys are redesigned to solve the intangibility problem, grannies will keep losing their accounts for no good reason and we will keep arguing about it on HN.