What am I missing with passkeys?

Thanks for the thoughtful response. I don't disagree with anything that you are saying.

However, the general marketing push (I think) in advocating for passkeys is the user is controlling their fate by switching from insecure (passwords) to secure (passkeys). Let's assume passwords are still allowed, and security is ultimately out of the user's hands (e.g., customer service rep changing password). In that case, I think it is incumbent on the arbitrators of the passkey "push" (developers, security folks, websites adopting passkeys, etc) to document that if the user was not secure before passkeys (e.g., simple passwords) they aren't any safer after (without additional steps). A working bad password is still a bad password.

So far (and my review is LIMITED), I haven't seen anything saying, "change your old password to something complex and never use it again." I also have not seen an option to disable (permanently or temporarily) when a passkey has been enabled. Companies seem to be more excited about what passkeys can do (and those benefits) versus what it is doing at the moment (in combination with the previous weaknesses that aren't being addressed).

I guess my point is - if you are switching to passkeys, make sure you understand what it is (and is not) doing (on each site/app) and what steps you should be taking to increase their effectiveness (which I'm afraid isn't so evident to the typical user).

two_cents