A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
That’s the part where the server doesn’t story any information that an attacker could use to log in. The attacker would need the private key, which is stored inside a secure chip on your device (unless you decide to store it in your password manager). All that’s stored server side, is the public key.
When you’re using a password, the server will store a hashed version of that password. If this is leaked, an attacker can attempt to brute-force this leaked password. If the server didn’t properly store hash the password, a leak simply exposes the password and allows the attacker access. If the user didn’t generate unique passwords for each site/server, that exposes them further to password spraying. In that case an attacker would try these same credentials on multiple sites, potentially giving them access to all these accounts.
In case of passkey, the public key doesn’t need to be secret. The secret part is all on your end (unless you store that secret in the managed vault of your password manager).
I do agree that your risk is quite small if you’re already