The biggest hurdle to passkey adoption is going to be, how complicated they are to implement for developers (relative to their advantages). I think that's the much more pressing matter than user adoption.
Can you tell more about it? I never tried to implement it myself, but when I quickly skimmed over relevant info, I didn't find anything particular hard about it. Just some web APIs and some simple crypto (which probably further abstracted in the libraries, but you can use crypto primitives directly if you want).
Doesn't look harder than proper password implementation with hashing, salting, etc.
The #1 issue as far as I'm aware is that there's no good story around portability. It sounds like using Passkey equals vendor lock-in right now.
Idk how representative this is, but there's been some criticism recently, and the response from some of the people behind passkeys implementation seem mostly dismissive of the criticism. I base this opinion after watching this 'debunking' video on the criticism of passkeys by some key players:
I was kind of surprised they sort of looked down on the people with concerns. I didn't really have a strong opinion about Passkeys, before watching this. But after watching, I got the impression they people behind Passkeys are probably smart as hell but perhaps not the best stewards of developing open standards and advocates for the general public.
Disclosure: I'm the author of the first blog post.
I think my personal biggest learning when developing passkey-based authentication is that there's a bunch of useful WebAuthn libraries for every major language / framework. However, these libraries only cover very basic uses cases to login and create a passkey. In real-life applications though there are so many scenarios (users deleting the private key of a passkey, users using non-passkey-ready devices, etc.) that require substantial work on your own and it's not really obvious when you start developing a passkey-based auth solution. It's something that most devs discover on the journey.
I implemented them for a personal project about 6 months ago. The library support is pretty good. The biggest draw for me was that it's easier for the users of my site to use passkeys.
So your auth will then be tied to their API and you'll be paying $30 a month + a per user fee.
What bugs me about that kind of thing is that there have been secure password and oauth implementations that are easy to get started with for years, yet there's this continual edging into this space by people looking to make a buck and able to sell it to management because it has pretty dashboards. My personal take on these paid for solutions is you have to do nearly as much work, and you lose understand and power not having it integrated into your own product. Plus when one of these auth services gets compromised it's a far worse situation.
