Passkey is just a different password manager. Stop trying to kill the password

But there is a fundamental difference. Password fishing is impossible with passkeys. You may authenticate to a site that you didn't mean to with a key you meant to use elsewhere but this does not allow that site to impersonate you on that other site.

I don&#x27;t think you grasp how many different options a site can make when asking for passkeys.<p>Passkeys definitely retain something you know &#x2F; something you have restrictions, if the site asks for it.

You didn’t get it. Passkeys are public key cryptography. It’s like SSH authentication with public keys versus password.

Instead of framing your opinion through a philosophical theoretical lens, instead frame it through a practical lens or an actual real life security threat assessment based lens. Think about things like phishing, password re-use, sucking data out of the system clipboard, or keylogging.<p>Passwords are symmetric in nature while keys are asymmetric. This property defeats a very large number of attacks without really increasing the attack surface.<p>The 2nd factor is not just something you have, but also something you have right now. Time is not an irrelevant factor. You are correct that it is bad for these to co-exist on the same device. Being on different devices boosts security considerably. Yubikeys and secure enclaves are both good things.<p>&gt; 1. Something you know 2. Something you have<p>I think you are stumbling over this statement. You are treating it as a-priori truth, when it is not derived from mathematic truth. &quot;Something you know and something you have&quot; is the result of a practical and economic processes of generating better systems of authentication.<p>&gt; which has been a fruitless battle<p>This is false, password managers and salted hashed passwords as well as more advanced hashing algorithms have boosted security significantly. Security teams at large companies have done significant work around forcing password changes against people suspected of being compromised. Password managers themselves have started to warn people about password re-use which is also very positive.<p>&gt; never changed.<p>Password rotation is not really considered a security practice of value at least among people I know. I think most people who work in security would consider it security theater. Password rotation is a band-aid for the problem of password re-use. Changing a password only matters <i>if</i> the password has already been compromised. So password rotation is a mitigation technique more than a security technique.<p>&gt; But it&#x27;s really not any different than strong passwords with rotation, and a password manager.<p>It&#x27;s also important to consider that passkeys are behind your phones password or your systems password. So there is still generally a password protecting these items, but the password is a local check rather than a check against a remote machine.<p>Summary of my response to you:<p><pre><code> The difference between symmetric and asymmetric encryption is real and of value. Passkeys still require &quot;something you know&quot; to get loaded into memory. You are right to not want multiple factors on the same device. Password rotation is a red herring. Think of things in terms of the attacker, not in terms of how things &quot;are supposed to be.&quot; </code></pre> Blind adherence to rules that you don&#x27;t understand how they are made is called cargo-culting and people in security <i>hate</i> cargo-culting. You made a post because you understand that there are things you don&#x27;t know you don&#x27;t know, and that is a good instinct. What you don&#x27;t know is the properties of asymmetric encryption and potentially standard techniques for compromising authentication.<p>You took the correct idea that multiple factors of authentication being on the same device is bad and turned that into the (IMHO) false idea that passwords have better security properties than passkeys.