Comment by nottorp
1 month ago
Iirc the original idea was that passkeys should be device specific. Of course that's impractical so now they're morphing to a long password that a human can't process.
In a few years someone will post "how about a long human retainable passphrase?" as a new and improved discovery.
They are still different to a password in that the service you are logging in to never gets the private key. So in the case the database gets compromised, if the service provider ensures no edits were made / restores a backup, there is no need to change your passkey since it was never exposed.
That was possible before passkeys.
https://www.rfc-editor.org/rfc/rfc9807.html
https://en.wikipedia.org/wiki/Password-authenticated_key_agr...