If you’re asking in earnest: For the majority of users, Passkeys offer a pragmatic alternative to passwords that is far superior in terms of security.
For you, based on what I’ve read in your comments, I would say that Passkeys are the first workable alternative to passwords. They are built on WebAuthn which (roughly summarized) was the standard developed by Google and Yubico in direct response to the Operation Auora attack.
While the Apple/Microsoft/Google implementations of Passkeys likely won’t meet your personal standards, they’re built on a proven and well designed open standard. Which means you can benefit from the technology without buying into a corporate ecosystem.
> If you use a software-based password manager, passkeys are indistinguishable from passwords both from a UX perspective and a security perspective.
That's not correct. Passkeys use public-key cryptography and a challenge-response authentication mechanism, so an adversary in possession of a read-only copy of the database of the service you're trying to authenticate with won't be able to authenticate as you - which is very much a security improvement over passwords, even when both are stored in a password manager.
> an adversary in possession of a read-only copy of the database of the service you're trying to authenticate with
True, but GP is referring to the private key on the (user’s) device or computer being stored in a password manager. The main protection that passkeys offer in such a case is that there’s no case of passkey reuse across services and accounts, which is something that’s possible with passwords even if one used a password manager (albeit poorly by not generating unique passwords for each account).
Since the passkey is the private key in the private-public pair, if it’s stored on a password manager it can definitely be stolen by malware (if you could have a key logger, you could have something else too). The only solution is to have the passkey (actually private key) reside in hardware or be protected by dedicated hardware.
