Passkeys are finally mainstream — but the cross-device sync story is still a mess
Apple, Google, and Microsoft all support passkeys now. Most major sites have them. The FIDO2 spec is stable. On paper, the password replacement we've been waiting for since 2013 is actually here.
But cross-device sync has some problems that don't get discussed enough.
If you're all-Apple or all-Google, it works fine — passkeys sync through iCloud or Google Password Manager without thinking about it. The problem is platform switching. Move from iPhone to Android and your passkeys don't follow you cleanly. You end up reverting to passwords during the transition, which defeats the whole argument.
Third-party password manager support is still inconsistent. Bitwarden added passkeys but some sites reject them and insist on a platform passkey. 1Password handles it better but the patchwork is real — and it's exactly the kind of footnote that makes recommending passkeys to non-technical people awkward.
The phishing-resistance argument — the strongest security case for passkeys — holds only if origin binding is enforced. Some browser extension flows quietly bypass it, which is a meaningful gap for the exact use cases where phishing actually matters most.
The spec is solid. Adoption speed has been genuinely impressive. But "switch everything, no caveats" — not quite there yet. What's been your experience? Specifically curious whether anyone has navigated the Apple-to-Android migration cleanly.
0 replies