Passkeys are for the people that don't even use password managers outside of what Apple or chrome provides by default if at all. Passkeys are trying to eliminate those ad hoc solutions by providing a different system. The transition will be slow and messy requiring most people to use passkeys and passwords (and maybe password managers) for a while.

But if the passkeys are copyable off of where you are storing them, then I'm not entirely clear on how they truly up the security?

I mean, I get the obvious ways that a challenge system is better than a bearer token. But I feel a ton is lost as soon as you move to the exportable keys.

Love to see an exploration on these topics. I confess I have not been following them much, lately.

I think the general idea is that the vast majority of people have a smart phone, so the security model is to let people use the phone as the "key" to access services and take advantage of the biometrics/pin security as the main component of security access. This means that there are a lot of security compromises that make sense in the name of ease of use.

This model has been tested to some extent with Apple pay and Google wallet which people take relatively seriously since there's money involved. I think the model makes sense to improve security for the masses, but it's not good for people that want and demand more (like people that already bought YubiKey products).

Oddly, pay/wallet work for completely other reasons. Largely in the absurd amount of monitoring that the credit companies do to watch your transactions. That and the general legal framework around charges.

Consider, that is largely replacing 20ish numbers with something else. Is slightly more convenient for folks, as you have your phone with you a lot.

So, for the passkeys, I know that there is a secure enclave in phones. I was not aware that they could store resident keys. Know what the limits are, there?