I love device-bound passkeys. It’s convenient, is a form of automatic 2FA (something I have, and something I know/am), phishing resistant, and breach resistant. I can even live with creating new key/account/device for my most important accounts, knowing that I can go via the account recovery route on new devices.
OTH, creating a key/account/device is pretty inconvenient. Most likely, some people who are used to passwords are going to be confused why. For newer generations, maybe they would think it’s a hassle and would look for a more convenient method. This is where the syncable passkeys can come in.
For syncable passkeys, you most likely would either rely on the OS platforms or the password managers as sync providers. The OS platforms typically don’t implement such functionalities across all the platforms/browsers. If you can live within the walled garden of an OS platform, then you don’t need the password managers (e.g. apple keychain seems to work pretty well, and safely). For everybody else, then it’s the password managers.
I use BW primarily for cross-platform accessibility and some on-line functionalities. Without these, I would have stayed with the off-line password managers. I think convenience would still be a major factor going forward for me, and I think this will be true for some other people as well.
I think FIDO alliance (Passkeys (Passkey Authentication)) has a point:
The usability of a password replacement must compete with the convenience of passwords, and one of the primary usability benefits of passwords is that they can be used from any device.
Syncing means that passkeys are available from all of a user’s devices using the same sync provider. And just like passwords, visiting a website from another device does not require going through a credential registration/creation flow — cross-device sign-in is supported via an enhancement to the FIDO Alliance Client to Authenticator Protocol (CTAP) that uses Bluetooth Low Energy (BLE) to verify physical proximity.
If the cryptographic key is bound to the user’s computer or mobile device, then every time the user gets a new device, the RP would have to fall back to other methods of authentication (typically a knowledge-based credential such as a password). In practice, this often means that the first sign-in on a new device will be both inconvenient and phishable.
Passkeys solve this issue because they are available on the user’s device if and when the user needs them — starting from the very first sign-in to a website from that device. Last but not least, users often forget passwords and don’t set up backup emails and phone numbers. With passkeys, as long as the user has their device, they can sign in; there is nothing to forget. Because passkeys can be backed up, they can be better protected from loss.