Password/TOTP does not protect you against phishing. The phishing site can forward the password and TOTP you type into the real system, gaining your access.

FIDO/WebAuthn/Passkeys protect you against phishing, because of the origin binding mentioned in the article. On the phishing site, the required credential cannot be generated, and so no matter how convincing it is you can't accidentally give them a credential to forward.

Phishing is what these systems were trying to defend against.

Now if you were to say that the move from plain FIDO tied to a hardware key to passkeys tied to a Google account was a lock-in ploy ---- then I might be more inclined to agree.

A couple years ago there were several posts here about not using PassKeys, and I went along with that for a bit. But I’ve fallen in love with them. They’re so nice to use with 1Password.

I suppose I might want to stop using 1Password someday, but it still has all my passwords as well so I can just fallback to those. And, honestly, only a fraction of the sites I have in 1Password have PassKeys available.

What I hate much more is sites that don’t have passwords and require you to log in via email every time. It drives me NUTS.

Passkeys are an API that requires the use of a password manager. It doesn’t lock you into any hardware any more than your password manager does already.

You can’t copy a passkey to a different password manager, but you can create a new one for the same account, which is usually just as good.

I use Yubikeys as my passkeys, and in terms of security it's strictly superior to passwords.

> seemingly no one besides maybe Bitwarden supports exporting them. Which seems pointless, because I don't know of any platform that supports importing them

That may still change in the future :-). The thing is that the technology allows it, which is good, right?