Background - software developer (including encryption / security features), dev manager, software architect.
Before passkeys, I used a combination of hardware security keys (Yubikey) for 2FA and TOTP for the most important accounts, password managers with syncing for lower-value accounts. For the occasionally high-value account that did not offer 2FA, those passwords were only stored on pin-protected hardware keys and never in the password manager. It is complicated and not for everyone, but fits my threat model and my tolerance for the complexity. I don’t recommend this model to my non-technical friends and relatives, because they just can’t make it work.
When passkeys became available, I treat them mentally in my threat model as basically equivalent to a username + password. Slightly more convenient, slightly more secure, but the security advantages all disappear the moment they are stored in a syncable software-based password manager. A secure password manager with 2FA certainly reduces the risk considerably, but still represents a single source of failure for all the high-value targets it contains whether they are passwords or passkeys. This is the same principle that precludes ever storing TOTP seeds in software-based password manager. So if the account being protected by passkeys is “low value” in my model, or if it is additionally protected by hardware-based 2FA, then I put the passkey in BW vault for convenience. I didn’t add a new column to mental matrix for passkeys - I treat them as equivalent to a password that depending on value might require a second factor on a different platform. This is commonly understood and practiced in my experience with software development teams, but not for the average computer user in the rest of the company.
I do like the concept of software-based passkeys instead of passwords, and I strongly prefer having them in a cross-platform synced BW vault instead of being tied to O/S or browser ecosystems. I’m just not going to give up the additional layer of hardware-based, non-syncable MFA for high-value accounts.
Finally, I will offer my opinion that roll-out of passkeys has been a technical communications disaster from everywhere. It’s been sold as “it just works, you don’t have to understand the details” with a lot of hand-waving to ignore the obvious problems. The benefits of passkeys are being extremely over-sold as being more secure and automatically managed. Every tradeoff that makes them more secure makes them less convenient and more likely to be irrecoverably lost. Every tradeoff that makes them more convenient makes them less secure. This is a common principle to anyone with experience in software security. Passkeys are being pushed to the average consumer as a magic solution to this fundamental tradeoff, and they are not.
There has been very little useful information about what is actually being stored, and where, for the O/S implementations, browser implementations, password manager implementations, mobile phone as separate key, hardware keys. There are trade-offs of security vs. convenience for every choice, and even if all the information accurately communicated the average consumer isn’t suited to make the decisions. The simple default could be “if you were using a username and password, use a passkey instead.” That still doesn’t touch the decisions about whether to use O/S, browser, or password manager. My concern is that people will use all these interchangeably without knowing the difference. In a few months when all these inexperienced users start replacing lost mobile phones or switching home computers they will lose access to some portion of their passkeys and not understand why. That’s the importance of at least understanding the choices, and picking only one of them to use exclusively. The current ecosystem of O/S, browers, password managers makes it very hard to do.