There seems to be a misunderstanding about passkeys, which are far more secure than passwords. They can't be phished and no one can guess them or trick you into providing any info. Your device already stores your fingerprint, pattern, ID, or face and the information can't be transfered anywhere else. (That's why you need to create a new passkey for every device you own.) You probably already use one of those methods to unlock your phone. That info can't be transmitted anywhere else, no OS allows that. If that were possible, malware could get ahold of it remotely and lock you out of your device, just like your passwords can get stolen now.
What actually happens is, the site or app asks for identification, you provide the unlock you use on your phone, the phone OS recognizes you, and sends a message to the app that you are who you say you are. It does not share your unlock code or biometric ID. In fact, there is no way that can be sent outside of the device. The app or web site only gets a message that yes, it's you.
Since there is no info to send, malware has no way to copy or steal your unlock info. It has to be you alone that verifies yourself on the particular device you're holding in your hand. Of course, if you do share a password or ID with someone, and they have access to your phone, then yes, they can pretend to be you using either a passkey or a password. It's up to you to manage that. But another person can't reproduce your face or fingerprint or any other biometric, which are safer ways to manage logins.
Due to the huge number of breaches that have been happening that expose passwords on the dark web, Apple, Google, and other tech companies worked together to create passkeys as a more secure way to identify yourself because no one can steal them. It's better than 2FA and way better than passwords alone. The only person who can log in is you, and only while you're holding the specific device the passkey is stored in.
CONSERVITVS • Volunteer Community Mentor
