> Passkeys is the way to go.

I agree but...

Passkeys are cloneable though and a clear step back compared to Yubikeys for FIDO2/webauthn.

Heck, we even used to have a counter where the user could know if one of its key had been duplicated. I tested this years ago and it worked. That's gone now.

For people with strong interests to introduce backdoors worked very hard to lower the security we had: it was too good. The people behind this are going to pretend they lowered security in the name of convenience but to me that's just the excuse: the goal was to lower security and they'll say "we need cloneable passkeys otherwise it's just too inconvenient". xxxINT.

Now I'll agree: for regular people passkeys are way better than PIN code or whatever. But if you're a target like a journalist reporting on crooked politicians or a whistleblower exposing frauds, don't go think your passkeys cannot be cloned and used to access your various accounts. Passkeys can be cloned by design. And it's all in totally opaque part of the hardware stack under the control of a few very state-friendly corporations.

And those pushing passkeys as the next best thing since sliced bread happen to very often also be the one always turning a blind eye to their states' wrongdoings.

So yup, passkeys are good but, no, they didn't lower the security for no reason. So don't rely on passkeys if you're the next Snowden.

And certainly don't go to listen to state-apologists explaining that states wouldn't do such things as lowering security standards in order to make sure they've got their shiny backdoors.