Not wanting to use biometrics directly for over-the-web authentication is one thing. Not taking the time to understand the technology being employed by Passkeys is entirely another. That’s your fault.

> That’s your fault.

No one's explained it to me. Other than "DoNT UsE PaSsWoRds", that's not my fault.

Why should I have to learn it, why should my mother have to learn it. This an a totally thrown in your face situation.

Theres plenty of posts in this thread explaining to why its a flawed design. You tell me why not.

There are plenty of posts in this thread that are misrepresenting the technology, in a few cases deliberately. If you feel strongly enough to comment, you owe it to yourself and the discussion to go to the source and understand what it's about - that's what I mean by that's your fault. You clearly understand enough to A) argue against biometrics over the wire and B) feel you can comment on Passkeys.

Most, if not all (I've not read every post) of the 'flaws' mentioned generally exist in computer security; for example, no one is impervious to a thug and a weapon. The implementation is as simple as generating a key pair; the private key is stored in a secure enclave, either on device or in a secure location, and the public key is shared with the 3rd party. All services provide some recovery method upfront, clearly stating the importance of a backup. There is only so much they can do before you accept the responsibility for managing your security and privacy online. Resorting to "won't someone think of the children" doesn't help either. My mother, who is 74, has no problem with passkeys.

Is it perfect? No. There are 'better' competing standards, but they don't have anywhere near the consensus of the broader security field. Is it better than the current status quo? Definitely. Public key cryptography is significantly better than username/password combinations, even with TOTP or HTOP second factors, though ultimately, it will be a while before they disappear.