Hear me out, THEN tell me how wrong I am :D<p>With Microsoft's latest admission that they're FORCING everybody to use passkeys, it really gives one a moment of pause to reflect.<p>In the mad rush to "improve security" many people seem to be missing the entire point in this debate.<p>Passwords are "something you know"
Passkeys are "something you have"<p>These two things are individual factors, and are not exclusive. Infact, "MFA" is to use two factors, not just one; and that is where the security comes from.<p>Switching to Passkey is nominal, at best, without having a second factor to keep it MFA.<p>If you care about security, don't delude yourself in thinking passkey alone is some sort of holy grail, it's not.<p>However, the push to replace passwords with passkeys is a fundamental shift in security paramount to changing gravity. And I, at least, think it's a serious mistake.<p>The reason is that passkeys require something you have. Either hardware or virtually with software, but if you, for some reason, don't have that thing, then guess what? For most lay users, it's a serious point of pain and friction. Those who care about security are willing to accept that, but EVERYBODY? Is it really necessary for every single person to stop using passwords? Seems like a myopic assertion that doesn't consider the users themselves.<p>The real problem here is evidenced by WHO is pushing for this. It is the platform vendors. Microsoft. Apple.<p>And why is that?<p>If Microsoft actually cared about their user's security, they'd have resolved many other problems before this.<p>Personally, I think is about one thing and one thing only: Control of the users, and vendor lock-in to their walled garden.