Foundation is Apple, Amazon did take over The Expanse and did a good job with it.

Itâ(TM)s interesting since the creators tend to think thatâ(TM)s enough. The server is able to verify (and require) through user verification that a challenge was presented and answered correctly by the user. I assume that doesnâ(TM)t protect from the theoretical device that always returns yes, I do not know how they deal with the potential for nefarious authentication devices other than advising people not to use them. I am not a fan of the synced keys that are common with cell phones since it weakens the âno direct access to key materialâ(TM) design and makes key theft more of a potential problem.

They are also phishing resistant, unlike TOTP.

Thatâ(TM)s an argument against biometrics as a factor, passkeys already are MFA though.

Phone is one option but not the only one, hardware tokens like Yubikeys can also hold passkeys.

I wish articles like this would stop the focus on biometrics. It is one option to unlock the key storage but not the only one.

I guess Mission Center is mentioned but the point still stands.

Iâ(TM)ve seen this talked about a lot in the past day, but no mention or comparison to other tools that already do this, like System Monitoring Center or Mission Centerâ¦.

Other than rust, what makes this one better?

That's a good point. I am leery of software solutions like phones or password managers where the keys are synchronized (therefore key material is available "somewhere") and potentially vulnerable to yet-unknown attacks. More trusting of the hardware tokens, after some number of failed pin attempts they clear the data. No doubt there are vulnerabilities in their firmware too that will someday be discovered but I'm not a big target, I'll notice if someone steals my keys.

Then you would unlock the local passkey vault with your password instead, and that password never leaves your device.

It's not really confusion, they are using FIDO2 with a nicer name and the FIDO2 tokens can store them. A Yubikey 5 can hold 25 of them. This is a change from MFA where the Yubikey generates the response on the fly so there is no limit.

The primary user-visible difference between Passkeys and MFA, is the passwordless "Passkey" implementation locks the keys and the MFA does not. Apple's keychain for example stores both MFA and passwordless certificates as "Passkeys". It can also sync them between devices, although this is worse for security, I think Windows Hello can probably sync them too.

Passkeys are generally stored on something you have, and rely on something you know to unlock the vault, unless you choose to go with a biometric unlock instead.

It uses something on the computer like Windows Hello, or prompts you to insert your hardware token, or shows an QR code that you can use with your cell phone, or your password manager offers to fill it in. Depends where you store it.

Currently Firefox ONLY supports hardware tokens, and Google throws that nondescript error if you try to set it up without the token plugged in first. If your token is plugged in it should prompt for the pin and then store the passkey, however Firefox does not prompt for the pin every time so it only mostly works. Other browsers provide more options like a QR code you can use with a phone, and Firefox is working on them.

Like a pin, and say after some wrong attempts the entire thing is cleared. Oh wait, they can already do that.

Biometrics is one option. I prefer a pin that never leaves my local device.