We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
Passkeys aren’t a full replacement in my opinion, which is what DHH gets wrong. It’s a secure, user-friendly alternative to password+MFA. If the device doesn’t have a passkey set up you revert to password+MFA.
And the fewer times that people are entering their password or email/SMS-based 2FA codes because they’re using passkeys, the less of an opportunity there is to be phished, even if the older authentication methods are still usable on the account.