The main problem with passkeys is that perfect became the enemy of good. Passkeys 1.0 should have been nothing more than an exportable private key synced by your browser or password manager.
Instead, the push for storing them non-exportable in TPMs means that the UX is completely busted when trying to use them across Microsoft/Apple/Google/Linux.
I'm currently considering adding passkeys to my services. If I do, the plan is to attempt to detect if the user has a password manager and only offer passkeys if yes. It's the only way I've thought of to ensure decent UX.
I believe the client side exposes a global ID as part of the WebAuthn flow, which would let me only accept IDs from 1Password, Bitwarden, etc. But I haven't verified that.
Instead, the push for storing them non-exportable in TPMs means that the UX is completely busted when trying to use them across Microsoft/Apple/Google/Linux.
I'm currently considering adding passkeys to my services. If I do, the plan is to attempt to detect if the user has a password manager and only offer passkeys if yes. It's the only way I've thought of to ensure decent UX.