David Heinemeier Hansson

Implementing passkeys can be extremely complex and their user experience is often subpar. Even in ideal conditions with synced devices, they can pose challenges, especially if access is needed from a non-primary device. While passwords have their issues, such as potential breaches if reused across services, passkeys aren't necessarily a better solution. Using email as a second factor on the first login from a new device is a viable alternative. The author concludes that the complexity and challenges of passkeys don't justify their use over traditional passwords and email-based 2FA solutions.

Passwords have problems, but passkeys have more

I firmly believe in just using a password manager, making the passwords 14+ characters long, totally random, all special characters allowed. Passkeys are just a hassle… The one or two I have work on my MBP and my iPhone, but only because I also have Bitwarden; take that away and I’d be screwed.

As a user I can’t stand login via e-mail link…
I use strongs and uniques password on each websites and when I have to leave a login form to go to my inbox I feel “punished” in my UX.

Just using a password manager and unique passwords is the way to go.

Of course, Passkeys are not the ONE solution for every problem concerning authentication, but saying that passkeys have more problems than passwords is kind of misleading.
Passkeys have different problems than passwords and I think one thing that passkeys have over passwords is, that the good old brain memory cannot be used to “store” them anymore. Maybe Passkeys are a transition technology to some idealistic place in the future, but from my perspective, passkeys are much better than passwords.

Honestly, I think passkeys are a horrible solution. One of my biggest gripes with it is that I cannot scope access; with passwords, I can leave or share credentials to other people - eg. my wife, to be used in case of emergency; I don’t need to give full access to devices and consequently everything tied to those specific passkeys. A good example would be allowing 3rd party access to email, insurance apps or even banking apps if I’m not available to provide it.
If you die, that’s it. No more access. Lost your backups because both the credentials and the subscription details for the online service were stored on a passkey-enabled account? tough luck. Lost access to the bank account, and takes months to go through the legal procedures? tough luck.
Also, malicious actors won’t need your collaboration to access the myriad of subsystems that may require authentication - they can just chop off your finger and be done with you - it is quite faster to just chop off a couple of fingers than beating you to get some codes.