Passkeys are still a shared secret, aren't they? Asymmetric cryptography would have been amazing. Barring that I would actually recommend Oauth or something like it, to limit the number of parties who manage shared secrets to a smaller set of actors who have more experience doing so.

▲

kro 9 days ago | parent | next [-]

They are in fact public/private keys and use signing a challenge for authentication.

	▲	barrkel 9 days ago \| parent [-]
		But in practice they usually rely on attestation by an approved vendor, and the vendor won't let you control your private key, so they'll leverage it for lock-in.

▲

growse 9 days ago | parent | prev [-]

No, they're just resident webauthn credentials which use asymmetric crypto.