I implemented passkeys @ $WORK, and we rolled it out to our tech department only first. Nobody could make it work reliably, and troubleshooting it was basically impossible. The best you could do was just wipe their passkeys and have them try again.

I've since disabled passkey support and we have no plans to attempt a new rollout anytime soon.

As far as I can tell the only people that have "successfully" rolled out passkeys are the companies with effectively zero user support and they just refuse to support passkeys at all, so if they don't work for a particular user: whatever.

TOTP is fully rolled out and well supported. Troubleshooting it is "hard", but at least it's possible.

TOTP troubleshooting basically boils down to 3 things:

* Server time

* User Phone/device time(most users opt to use their phone to generate TOTP, but we don't care)

* More than one TOTP saved for a given site(i.e. they didn't replace the old and created a new TOTP shared key) or not saved at all.

Our tech/user support helpdesk can handle this but it took a lot of training. We built special tools. We still get requests from them when they get overwhelmed with the complexity.

Passkey troubleshooting:

* Mobile network, including bluetooth

* Server network connectivity

* Computer/device network, including BT connectivity to mobile device.

Most tech support can't handle that much complexity at once. Shoot, most developers and tech "whiz" people can't either. The error messages one does get, if they are lucky, are very general and not helpful at all(last I checked).

Passkeys are not currently fit for production where you have to support the users. I hope they get there.

1Password is the only client/device implementation of Passkeys that pretty much just works. It saves the passkey in the 1p vault, and the 1p vault can be synced across devices.