There is a <i>lot</i> of FUD around passkeys.<p>Think about all the regular (read: non-Hacker News) users out there who fall for a phishing email/SMS, or who re-use passwords and get popped by a credential stuffing attack. Passkeys provide not only <i>massively-improved</i> security (they can’t be keylogged; they are linked to a specific domain so can’t be spoofed by look-alike fake login pages; they’re protected from replay attacks even if the transport mechanism is compromised), but a <i>much</i> nicer login flow as a bonus.<p>Many people also don’t understand how easy it is to login from a <i>different</i> device: say an Android user created a passkey for a site with Chrome. Now that user needs to sign in to the same site on a Mac running Safari (where there is no passkey for the user). They can still use their Android device to login from the Mac by selecting “use a passkey from another device”. Safari will show a QR code that they scan using the Android phone, and verify with their screen lock. A one-time passkey signature is transferred to the Mac, which the website uses to authenticate the user. The two devices verify that they are in proximity with each other using Bluetooth. This cross-device, cross-operating-system mechanism of passkey authentication is standardized under FIDO; no additional work is needed by the website to enable this login flow.<p>If you are “anti-Apple” or “anti-Google” and have strong aversions to them securely backing up things like passkeys (again, think of all the non-Hacker News readers where this is <i>not</i> the case), then go ahead and continue to use passwords. But we should be encouraging our parents, grandparents, siblings, friends, etc. to embrace passkeys to make all of their accounts more secure and phishing-resistant. The more passkey FUD they see, the longer people will have to deal with annoying (and still insecure) SMS codes, the longer passwords will be stolen/re-used, etc.