Passkeys seem to be the best solution for users whose technical chops cannot be trusted, and who are also gullible enough to be a scam / social engineering target. Which, to my mind, describes a large enough chunk of audience of most popular services.

A tech-savvy relative of such a user should help them generate rescue codes, write them on a piece of paper, and store them along with all other important documents. Ideally the paper should also read: "Call me before using any of these codes! <phone number>."

▲

calvinmorrison 5 days ago | parent [-]

it's just a further step whittling away of browsers being a "user client".

a key based approach is great. Knowing (the passphrase) and Having (the key) is a good way to authenticate.

	▲	nine_k 5 days ago \| parent [-]
		A "user agent", I suppose. The agent could identify you to online services, and it does. Remembering and typing a passphrase is often too hard (or "too hard") for some users. A passkey is better than a password like 123456 or name + year of birth, or other such "easy to remember" passwords people invent to avoid remembering a passphrase. Especially if you have a hundred logins. A passkey basically offloads user identification to the OS (especially a mobile OS). It should not be the only way to identify though. An ssh-style key + password is fine. A username + password + TOTP should also be fine. But 99.9% of passwords should be in a password manager anyway. Rescue codes should always be generated and written down when activating a passkey or similar, but this requires certain discipline, some feeling of importance. And many web sites that require registration don't seem important for users, especially one-time users. What makes sense for your Google account, or your bank account, feels like too much ceremony for a low-stakes login like a random online store; losing a login to it does not feel like a big loss to many people.