I think the biggest barrier to adoption is lack of end user demand for the service. That is followed by people not understanding/believing the incredible increase in user experience and security. It's almost like people think it is too good to be true.
No -- every origin has it's own Public/Private key that is stored on the TPM chip on your device. The TPM is designed specifically for securing these keys.
Each passkey is a modest amount of data, and I don't see a person having so many passkeys that the TPM gets full.
That's a great article, thanks. In fact, it's a fantastic article. I read it a couple of weeks ago, and learned a lot. Thanks.
Apple's changes do degrade security, but I think it is important to note that even with those degradations, Apple passkeys are still many orders of magnitude more secure than passwords.
They cannot block access. The passkeys are actually stored on your devices in a Trusted Platform Module. When moved to the cloud, they are E2E encrypted, and the transferring platform has zero knowledge of your keys.
Currently, you cannot move them to other devices without the cooperation of some cloud service, or the like. At some point you'll have to trust someone to move passkeys between devices.
WebAuthn is the short name for the "FIDO Alliance Web Authentication Protocol".
"Passkey" is the trade name (that Apple tries to own) for the "stuff" that results from using the WebAuthn protocol. At it's root, a passkey is really the private key portion of that "stuff" that is kept. So yes, in practice, a passkey is the result of a WebAuthn implementation.
MS, Apple, and Google don't implement WebAuthn. Companies like mine do. Each website out there that wants to use passkeys needs to employ WebAuthn, whether via build or buy. What the "Big Three" do is leverage their OS's and platforms to enable the storage and migration of passkeys within their eco-system. WebAuthn is implemented in their browsers, and they enable the use of passkeys (which websites make happen via implementing WebAuthn).
One thing to note is that the Big Three also make a small adjustment to the WebAuthn protocol to allow passkeys to shared inside their cloud infrastructure. This every so slightly reduces the security of passkeys (which start out as very, very many orders of magnitude more secure than passwords).
I think the biggest barrier to adoption is lack of end user demand for the service. That is followed by people not understanding/believing the incredible increase in user experience and security. It's almost like people think it is too good to be true.