Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.
Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.
Use a yubikey, that doesn’t vendor-lock you to an OS ecosystem. They make one with nfc so it’s not a pain to use with your phone.
I’m not sure if this is universal or specific to the last site I tried to use my Yubikey with as a passkey, but it only would allow it to be used as 2FA, not actual passwordless authentication.
I assume this is because Yubikeys don’t create a secret for each individual website I suppose? Not exactly sure about that one.
Both the website and your physical security token must support the right type of webauthn credentials (the token has storage for a certain number of slots with “discoverable credentials”).
Passkeys is a variant of the same which is bound to your device’s own TPM / SE security chip or equivalent, plus a synchronization feature for backups.
You can use Yubico keys as your passwordless logins. Both Google and Microsoft have this option.
Strangely enough, Google lets me “add” my Yubikey as a passkey, but then does not let me sign in with it due to it not being “recognized”. If I remove it as a passkey, and only use it as a 2FA token, attempt to sign in and use the “Enter your password” option, it will then let me use the key after I’ve entered my password as a second factor.
So it seems Google has removed the error (or its not triggering anymore) as they will have been one of the first sites I tried to create a passkey for, but it still does not let you use it as a passkey.
I haven’t encountered this issue, yet. I’m using LibreWolf browser (v118.0) and tested logging in my Google and MS account passwordless. BTW, I have Yubico Security Key NFC (the blue one).