Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?
So it sounds like basically it’s just client certificates?
Basically, but with a separate public/private key pair per login so they aren’t able to link your identity between sites or accounts with it and also synced or stored in a password manager so you don’t lose them.
Yep! In fact you can still use client certificates in certain passkey/WebAuthN authentication flows. It’s more or less how Windows Hello for Business works (although X.509 certificates are only one type of key it supports).
Basically but with better software and better branding.