This assumes passkeys will be widely adopted. And that users will know to stop wherever the passkey doesn't work. I have doubts about both.
The second is flat out wrong. Passkeys and U3/F/FIDO2 do not depend on the user at all. Even if I completely fool you, the credential you get for example.com cannot be used on example.org because the protocol incorporates the host name. That’s why the security community is pushing them since phishing is so common and this shuts that down entirely. The attacks now tend to involve getting people to downgrade to password + SMS/TOTP so the more those fade from common usage the better everyone will be.
I think it is a significant benefit and likely to be implemented specially concidering client support is already there and there are good libraries available to do it.
Lack of understandably is the primary downside of passkeys, and I doubt it will be overcome in this decade. Authentication is like investing, one must understand the options for it to be effective.
I click a button, my phone/computer asks for biometrics etc and the passkey is loaded.
When more poviders make it a default it will be even better. This isn't like enrolling 2fa, its more akin to hardware tokens without th hassel of carrying around a hardware token...
For Bitwarden, this will be the hostname, and as such, will tell you that you don't have any passwords for moc.margatsni.nl
There are design issues at play here, but mitigations for most types of phishing are already available. Websites need to implement Passkey support, but any username+password website should work perfectly fine with password managers.
