Passkeys use public key authentication. This makes them very resistent to phishing attacks. It's also not possible for a phishing site to request authentication via a passkey created on a the original website.

[–] ronigami@lemmy.world 4 points 1 week ago (1 children)

In practice, they use Face ID, which has privacy implications.

[–] malwieder@feddit.org 6 points 1 week ago

In practice, they either use system authentication if you use the implementation bundled with iOS/Android - and sure, that can be Face ID if setup, or other forms of biometric authentication. Both operating systems have APIs that allow password managers to provide their own implementation of passkeys, and in that case you have to authenticate with your password manager - sure most of them support using system authentication (biometrics) as well, but this could also be a master password or hardware key (which work very similar to passkeys by the way).

I'd argue if you don't assume that whatever system you're using is reasonably secure/private, you probably shouldn't enter any passwords on that system either. This isn't a passkeys vs. passwords problem.