Yes, it uses WebAuthn under the hood. Passkeys have technically been available to developers for a while I think but very experimental still. I guess they've begun hitting new milestones.

This is basically the biggest problem with WebAuthn today: the credentials are tied to the browser -- or really whatever application is using WebAuthn, browser or not, name aside -- which means that if you register for a service with Firefox, you have to re-register with Chrome. If the service is designed for it, it might associate multiple public keys to a single "user." So Passkeys are just a pretty natural combination of two things to fix that: "WebAuthn keys, but inside iCloud Keychain." Presumably any apps that integrate with iCloud Keychain can then use them as expected.

Of course you can just export the key material, which in a sense is "all" Passkeys are doing: they're a formalization of how to export and manage those keys in keychain.

But there are still some major issues:

- Enrolling new devices from old ones. This is especially tricky for platform authenticators. For example I register for a website using FaceID on my iPhone, which uses the "platform" authenticator rather than the "cross-platform" authenticator, and now I need to now enroll my Macbook and Windows desktop. They both need new keypairs, because the original account is using a platform authenticator. And the new keypairs might be either platform or cross-platform authenticators. This is especially prevalent on browsers (apps can work around it with a more specific scheme; see below.)

- Similarly: cross-platform software for sharing or syncing credentials. Something like 1password but with WebAuthn support for handling those cross-platform webauthn keys.

Both of those require a lot of software and decision making to get it all working correctly, both on the side of operators and clients. For example, in your own application (not a browser), you could simply use a platform authenticator like FaceID to read a cross-platform WebAuthn credential from iCloud Keychain, which would avert part of problem 1. But in a browser, mac or iphone users would probably like to use FaceID/TouchID, which are only available as a platform authenticator, so you'd have to handle that case of new enrollment.

There are also a million other issues, for example Windows Hello has like a million weird edge cases for how it works in and outside of the browser. macOS seems to be the furthest ahead here with the introduction of Passkeys, and the strong system-wide support for TouchID/FaceID/etc. I do not know what the state of Linux is; presumably you could integrate this with something like gnome-keyring but there's no synchronization service either.

So we're still a ways away from actually eliminating passwords. WebAuthn works today but does need a lot of extra oil to make it smooth, and it's still not a primary authentication mechanism unless you're very careful about your userbase. But Passkeys are a good start and will mean you'll need passwords in less apps, and you'll be able to log in securely more quickly. It's a small but needed step.

> This is basically the biggest problem with WebAuthn today: the credentials are tied to the browser

That's definitely not true. My Feitian ePass for example (very cheap USB dongle that lives with my house keys) works just fine to sign me into GitHub on this desktop PC w/ Firefox on Linux, it works fine via a USB-C to USB-A adaptor to sign in on my Android phone w/ Chrome, and likewise on the Windows laptop I use for work when I needed to access my personal site briefly at Christmas and that was the only laptop I'd brought with me.

If you have credentials tied up in some proprietary system then, yeah, they're trapped in there, and in Apple's case they've decided to make it possible to move the credentials to another Apple device via iCloud.

Yeah, since Apple's (and Google's) soft WebAuthn implementation is designed for syncing across devices, it should also work with many browsers on the same machine.