Reducing passkeys to the security level of passwords is not just "making something user friendly". It's undoing all of the hardware everyone else in the ecosystem is putting into to making a more secure way for authentication to be done.

▲

kbolino 9 days ago | parent | next [-]

Passkeys have several advantages over passwords but not all of them rely on UX controls. They are, after all, public-private keypairs and the private part is never shared during authentication. The wider web never adopted PAKEs so passwords are still sent verbatim over the (TLS-protected) wire.

▲

charcircuit 9 days ago | parent [-]

With password managers passwords are not reused which avoids this problem already.

	▲	kbolino 9 days ago \| parent [-]
		Not reusing passwords across sites greatly limits the blast radius but verbatim password exchange still carries its own risks. The widespread adoption of TLS addressed most of the issues, as I alluded to already, but there are still insider threats, MITM phishers, and infrastructure compromises from time to time.

▲

zekica 9 days ago | parent | prev [-]

How exactly is this "reducing the security level to those of passwords"? For example: you can't use a passkey on attacker's web site even if you have a plaintext copy of the private key.

	▲	charcircuit 9 days ago \| parent [-]
		I'm not following. The issue is about it being used for the site the private key is for. The attacker's site is irrelevant here.