I've had an article on 2fa pending for months. Trying to consolidate all notes here.
A few weeks ago, Apple announced Passkeys, shortly followed by MS, and now Google. Passkeys are a TERRIBLE idea, and it worries me that for-profit companies try trying to portray them as something that's good for consumers when it's quite the opposite.
Passkeys are far less secure than REAL (hardware) 2FA, in most cases add little to no security, are an excellent vector for vendor lock-in, and have enormous risks by handling secure material ONLY on internet connected devices.
In this article, I cover each of these items in full detail.