PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
Why does #Sharkey / #Misskey need an "authenticator app" registered before you can use a hardware key? That doesn't make sense #security wise.
Yeah I know it's to prevent people from just accidentally getting locked out of their accounts, but there should be an option for #FediAdmins to allow this risk. 🤔