How are untrained users supposed to trust passwords if they don't understand the differences between unsalted SHA1 versus PBKDF2 versus bcrypt and probably don't know what practices their third party is doing to properly hash the password?
Explaining password managers like the browsers' or 1password is easier than explaining passkeys. At least with password managers, you can export the whole database when switching platforms.
I agree. People ask the same questions about password managers just storing passwords.
One of major failures of the passkey marketing is that the FIDO Alliance left it at:
1) Vendors marketing passkeys as this brand new thing for their customers;
2) Anyone technical needing to already know that passkeys weren’t this brand new vendor specific thing, and reading the standards documents.
Passkeys are essentially just a marketing name for FIDO2 credentials with a focus on particular kinds of implementation. But FIDO didn’t bother to handle communications to technical folks outside the authentication space, and they’ve failed to do so effectively beyond that area.
