Here are two reasons why you shouldn't use passkey.
If you aren't aware, passkey has a function called "attestation" to identify which authenticator you are using.
That means that web services can restrict passkey implementations users can use. Malicious companies can use this as a vendor lock-in measure. Google can force you to use Google Chrome. Well, in this case, people will just stop using Google, but you may have certain services you can't just leave.
For what it's worth, I found I couldn't use my password manager (which supports passkey) because they only allowed me to use device-bound passkey and refused to allow synced ones. I mean, it's my company's web service. They forced me to implement it in that way. Remember, you can use synced passkey only if your tech overlords are merciful enough.
Things can get even worse. What if governments forced you to use certain implementations of passkey and refused free and open passkey implementations for their services? What if they forced you to install a certain passkey manager to pay tax?
What if EU chat controllers forced you to use the "Government Certified" passkey implementations, which send your WhatsApp private key to the secret police server? Or what if the U.K. forced age-verifiable passkey for certain services? Or utilizing TPM, they could even lock in hardware you use. What if they tried to regulate "dangerous" operating system like Linux?
Conspiracy theory? But if you are not willing to do this, why are you trying to make it possible?
To be fair, it's true that most of "current" passkey implementations, including Chrome, Safari, Edge, don't send attestation data. But that's because the current passkey adoption rate is quite low. What guarantees they won't change their mind in the future? Why should we trust their goodwill to respect our privacy, which is quite dubious? Remember, Google is trying to restrict installing apps on Android. Why are you sure they won't do the same?
You still can be phished.
Somehow, people who claim this assume that "phishing" is only about
letting users enter their password on malicious websites. Apparently,
you can send an email from arnazon.com, informing the user
your order won't ship because your credit card is expired and ask them
to re-enter card numbers and CVC again.
(I didn't fact check if arnazon.com is available or
really something usable, and the chances are that real Amazon already
took it to prevent scams, I don't know. But you get the idea,
right?)
"Oh, passkey doesn't work on different domain, so you will notice that you are not authenticated yet!"
Okay, so let's assume you conveniently noticed that you were not logged in yet. Attackers can use browser-in-the-browser attack to create false illusion as if you were using a passkey.
"But, you can't steal the session cookie of the domain!"
Sadly, false. You can still phish users to download a malicious app and just grab all cookies from the local files. I admit this is an extreme scenario, but it's still possible.
"B-but still, you can't steal private keys!"
Well, it is indeed impossible to steal the private keys inside the hardware authenticator (assuming it's not flawed). But who cares when all of my access tokens are already gone?
You can continue this slippery slope as long as you want, and you are so smart that you will notice something is going wrong at a certain moment. Maybe you will. But my point is that someone will not.
What I find really frustrating is, these "passkey is phishing tolerant" messages are educating users in a very dangerous way. If I were just an average computer user, the message I'd get is like, "oh, I'm using passkey so I'll never be phished, and thus it's ok to click every random link in my mailbox!"
It's a social engineering problem, and cannot be fixed by technological engineering.
This really bothers me because passkey is indeed an improvement in a certain way. I prefer public key authentication to shared secret tokens. Delete attestation from the spec and admit passkey is not a silver bullet. And I'm happy to use them.
I'm not a native English speaker, please bear with typos.
I used Claude to review my drafts, but I wrote all the words myself, and any mistakes are my own responsibility.