Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Today we use lots of accounts with unique passwords. Obviously these passwords have to be stored somewhere. So I disagree with you when you say it’s a unique passkey thing.
Passkey has an advantage when it comes to phishing because it doesn’t totally rely on human intelligence or state of mind.
From a personal experience my data was leaked online, not because of phishing or I was careless. but it was leaked from a well known third party site which I used. They were affected by a very serious breach. Many unlike me use the same passwords for their emails and stuffs. But in case of passkeys there isn’t a shared secret. A breach will be useless.
I think you’re making my point. First, you’re right that passkeys can’t be phished. But access to the passkey manager can be. And now you’ve doubled your exposure to leaky third parties, once with the service you’re accessing and another with the passkey manager.