Re: Oh boy here we go
Sweet. Summer. Child.
If you set up a passkey, your options are biometric and/or trusted devices. Those devices are often mobile phones, because this is becoming a phone-centric world, and phone platforms have been locked down from the beginning, unlike desktop computing platforms. As someone else said, making phones a single point of failure is stupid. Making phones a requirement to participate in society once again punishes poverty and forces humans to align with machines/corporation nation-states rather than the other way around - the tools have become the masters. Proprietary software is really just icing on the cake -pick between Apple or Google OS, pick one of only a few vetted authentication apps, pick your silo. There is no motivation to make it easy for people to break out of that silo, so good luck getting passkey auths to be "universal".
Phones are locked with either biometric data, unlock patterns, or PINs. Locking with biometric data makes it easier for law enforcement to force your phone open. Locking with patterns/PINs makes it easier for criminals to force your phone open (although it may take more time).
Let's take the scenario where a person's ONLY trusted device/passkey holder is their phone. Regardless of whether they use biometrics or device TOTP or whichever, they *cannot* experience a discontinuity in the integrity of that phone, whether by breaking or stealing. If either, they have to go to an untrusted device to secure their accounts. How do they get in? Device passkeys are dead in the water, and then they better have set up biometrics as a backup, and hope the device the want to log in on has a compatible FaceID-reading camera or a fingerprint reader, which isn't that common on computers. The two most feasible options that come to mind are backup codes (how often do you keep those on you? Are they on your phone? Are they easy to memorize? Did you print them out multiple times and keep them in safe places? Are they accessible?) or security questions, which are basically just... passwords!
In a world where both people had better password hygiene and companies protected passwords with the diligence they're supposed to, we probably wouldn't feel this need for passkeys. As it is, even if they're "more secure", the data has to live somewhere just like passwords do, and this will just pivot hackers' attention towards optimizing to attack passkeys instead. Maybe passwords will become the more secure authentication by virtue of everyone relying on passkeys.
Remember when banks and credit unions insisted on using "voiceprints" to authenticate people when they called their services? And remember a few months ago when AI-generated spoofed voices started to become nearly flawless imitations?