I implemented passkeys @ $WORK, and we rolled it out to our tech department only first. Nobody could make it work reliably, and troubleshooting it was basically impossible. The best you could do was just wipe their passkeys and have them try again.

I've since disabled passkey support and we have no plans to attempt a new rollout anytime soon.

As far as I can tell the only people that have "successfully" rolled out passkeys are the companies with effectively zero user support and they just refuse to support passkeys at all, so if they don't work for a particular user: whatever.

TOTP is fully rolled out and well supported. Troubleshooting it is "hard", but at least it's possible.

TOTP troubleshooting basically boils down to 3 things:

* Server time

* User Phone/device time(most users opt to use their phone to generate TOTP, but we don't care)

* More than one TOTP saved for a given site(i.e. they didn't replace the old and created a new TOTP shared key) or not saved at all.

Our tech/user support helpdesk can handle this but it took a lot of training. We built special tools. We still get requests from them when they get overwhelmed with the complexity.

Passkey troubleshooting:

* Mobile network, including bluetooth

* Server network connectivity

* Computer/device network, including BT connectivity to mobile device.

Most tech support can't handle that much complexity at once. Shoot, most developers and tech "whiz" people can't either. The error messages one does get, if they are lucky, are very general and not helpful at all(last I checked).

Passkeys are not currently fit for production where you have to support the users. I hope they get there.

1Password is the only client/device implementation of Passkeys that pretty much just works. It saves the passkey in the 1p vault, and the 1p vault can be synced across devices.

I haven't had any problems with syncing and using passkeys with 1Password and Firefox on MacOS, iOS, or Windows. When the site wants to create or use a passkey I get a prompt from 1Password on the device that I'm using. No need to involve a second device (which for me I'm fine with security-wise. If I really wanted to be sure there was no way of malware extracting the keys I would be using my Yubikeys)

FWIW, I migrated to ed25519-sk SSH keys backed by FIDO2 credentials on my Yubikeys, and I really love it. The fact that my credentials effectively can never be lifted out of my hardware key is quite comforting.

What kind of Mac and what version of MacOS?

I remember those QR codes and needing to use my phone when I tried passkeys a couple years ago when I was on an older Mac that didn't have hardware support for biometrics.

Every since I got a Mac with that support passkey creation has worked fine entirely on the Mac.