They're closer to a client side certificate - you never send the server your passkey, you sign data that proves you have it without exposing it. (Or something semantically equivalent anyway)
Other than that, which is mostly only a benefit for edge cases around partially compromised devices or servers: yeah they're not much different than random unique passwords. Except they have vendor-lock-in.
Passkeys would be vulnerable to phishing if password managers allowed you to export them in plaintext. Because the phishing page would just show you the steps to do this and paste the private key in.
But because most managers have no UI for doing this, it's impossible to trick someone into doing it.
Groxx|9 months ago
Other than that, which is mostly only a benefit for edge cases around partially compromised devices or servers: yeah they're not much different than random unique passwords. Except they have vendor-lock-in.
hooverd|9 months ago
SchemaLoad|9 months ago
But because most managers have no UI for doing this, it's impossible to trick someone into doing it.