Disclaimer: Co-Founder Corbado here. I think the simplicity actually for the user is why they are so successful already. I can understand a lot of the criticism, although I am not that skeptical regarding the lock-in. I think this discussion is probably already lost with most consumers having their life within Google or Apple cloud via the mobile phone. Although the discussion is valuable, it should not be held over passkeys.
For passkeys, we truly believe even if those options are weighed against each other, the benefits are weighing more. Big consumer-facing platforms have huge problems securing accounts for users. If you force them to use classic MFA (SMS or TOTP), the usage drops and recovery/fallback processes skyrocket. They don't want MFA. Risk-based MFA can help but is not perfect as attacks get more precise.
So we think the adoption will be faster than browser developers can get around fixing all of the issues, because once a standard is adopted, it gets more and more difficult to streamline things. But we are looking forward to it.
Of course, we see it that way, because we are building a company around it, but I have been battling against account takeover for years and took great pride in trying to protect the data as a developer, our users entrusted us. So I see a real chance here to improve security in the consumer market.
When it comes to security, having to paper over buggy, not well realized implementations is just asking for disaster.
You want your security code to look and act and BE boring. Nothing about Passkey's fits that definition at the implementation or code level.
The idea IS awesome, the implementation is terrible. Not because they were awful developers that implemented it, but because it got rushed to production before it was ready. If they continue to iterate and fix the issues and make the implementation boring, close off all the edge cases, etc. Then it will be amazing and I'll praise passkeys. Until then, I'm afraid it's a new x.509/client TLS cert in the browser disaster waiting to happen.
For passkeys, we truly believe even if those options are weighed against each other, the benefits are weighing more. Big consumer-facing platforms have huge problems securing accounts for users. If you force them to use classic MFA (SMS or TOTP), the usage drops and recovery/fallback processes skyrocket. They don't want MFA. Risk-based MFA can help but is not perfect as attacks get more precise.
So we think the adoption will be faster than browser developers can get around fixing all of the issues, because once a standard is adopted, it gets more and more difficult to streamline things. But we are looking forward to it.
Of course, we see it that way, because we are building a company around it, but I have been battling against account takeover for years and took great pride in trying to protect the data as a developer, our users entrusted us. So I see a real chance here to improve security in the consumer market.