Any kind of authentication method that relies on a string that can possibly be manually typed into a box by an end-user can never be made to be highly resistant to phishing.
> What has stopped developers from using irreversible transformations on stored passwords in the past? The math was there.
I don’t understand what point you’re making here. Are you saying “why didn’t people create a different standard than WebAuthn?” or are you saying “strong password hashing methods exist, so why do so many websites use bad ones”? Or are you saying something else?
> You become dependent on an easily stolen or destroyed device for authentication.
No, you don’t, because passkeys on Apple platforms are stored in iCloud Keychain, which syncs across all your devices with end-to-end encryption. They’re not solely on your phone.
> It is a fantastic user experience until you're a plane flight away from home, your phone gets stolen. Your passkeys are safe in the secure enclave.
They are stored in iCloud Keychain, not the Secure Enclave. And you can recover access to your iCloud Keychain is even if you lose your phone, and even if you lose all of your devices.
> The flight options are in an app that you don't have the passkeys any more for.
You could just go through the account recovery flow for the airline app to regain access to your account. Whether you use a password or a passkey as your primary credential for logging in has very little to do with account recovery logging into an airline app. The app needs to continue to handle users who get locked out of their airline account for a variety of reasons.
