Passkeys support authentication via a secondary device over Bluetooth (and this is supported in every major browser on every major platform). So you can login to a site on a machine that’s completely disconnected from your personal passkey store by scanning a QR code with your personal phone.

The login flow basically goes “request login with passkey” -> “browser recognises it doesn’t have the needed passkey, and offers a QR code to scan” -> “scan QR code with phone” -> “phone and browser handshake via Bluetooth” -> “passkey handshake happens between website and phone” -> “login completes”.

I’ve personally used this flow with my work laptop and my personal iPhone many times. iOS has built in support for the Passkey QR codes, so you can scan the code with the standard camera app. Additionally iOS supports allowing 3rd party passwords managers to take over the Passkey flow once you’ve scanned the QR code. So in my case I complete the flow with 1Password.

End-to-end the flow is pretty damn seamless, I’ve never personally had it fail, and take 30seconds to complete. The most annoying part is trying to remember where my phone is.

> take 30 seconds to complete

also, ouch.

This is a solution for the masses. If you're not comfortable with it, nobody is forcing you to use it, and it certainly doesn’t diminish the value passkeys provide over traditional passwords and OTPs for the vast majority of people.

> Bluetooth is basically comprised of a giant bag of vulnerabilities and weaknesses.

That doesn’t really matter. The whole point of passkeys is their cryptographic primitives make snooping on the handshake pointless. Everything is E2E between the passkey provider, and the site you’re authenticating against. There’s no dependency on Bluetooths security to ensure that the actual passkey handshake is secure.

> > take 30 seconds to complete

> also, ouch.

That includes the time taken to fish my phone out of my pocket.