When I initially read about passkeys, I understood they'd replace the email/password flow.
However, I have been using passkeys (when I can) with 1Password and so far my experience is that they "just" replace TOTP that were already pre-filled by 1Password anyway. So in terms of UX there is not a big gain.
I guess that the current advantage is that passkeys are cryptographically secure, while in theory 1Password TOTP auto-fill is based on just matching domain names.
Am I missing something here?
Passkeys can:
- Replace the whole login (including discovery of the user id)
- Just replace the password, after a user specified a user id
- Be used as a second factor just like TOTP
They are definitely more phishing resistant for what it’s worth, even if just used for MFA. TOTP codes can be copied manually by an unsuspecting user.