Even the closed-system solution pose problems. I think it didn't get much airtime, but when Chrome switched their approach to save passwords, a lot of users lost access to their accounts. A case where a feature wasn't sensibly discontinued.
The workaround now isn't using passkeys, something few people understand. Instead most seem to be migrating to an external password managers. Honestly, I don't have many arguments against this as these at least generate save passwords. There are many advantages to this approach.
I believe moving forward, sticking to passwords might indeed be more viable. I think explaining users to upload their public ssl key is safer and more universal at this point.
I use password as main auth method for everything (via a pw manager) - but then I often add passkey or similar for convenience.
If I get locked out I still have the trad method as fallback; for me that’s the best of both worlds.
If you don’t offer password as method I will not use your service.
The worst are those that only offer code via email/sms or social login - miss me with that …
except passkeys bought you a false sense of security and easy. yeah the happy path is easier because you're just generating new keys... but if the user ever gets a new phone or sit in front of another device, now passkeys are more complicated than the alternative.
sadly the world became too dumbly complacent to question their devices.
The workaround now isn't using passkeys, something few people understand. Instead most seem to be migrating to an external password managers. Honestly, I don't have many arguments against this as these at least generate save passwords. There are many advantages to this approach.
I believe moving forward, sticking to passwords might indeed be more viable. I think explaining users to upload their public ssl key is safer and more universal at this point.