Hasn’t been much discussion of passkeys on the forum, they were mentioned briefly in this thread about passwords.
I have yet to use a passkey, at this stage I don’t know much about them or how to set them up. Is this something you can configure for anything or does the other side have to allow them (eg. banks, etc)? I’m guessing it’s the next step after 2FA/MFA?
kerr, that was my post in the referenced thread.
I don’t use any Apple passkeys - which I assume to be an implementation of the ssh private and public key pair function.
With ssh keys you generate a pair (private and public keys) the machine with the private key can access any user data that holds the public key. The machine with the public key holds it in that user’s home folder in an authorised_keys file as a string of text in one line. - Could have several different public keys to allow access from multiple external users.
The config file for ssh access can be set up to completely disable password authentication access, - so no public key present matching a private key held by the accessing machine means no access is possible.
It is a one way relationship though, - the public key holding user account / machine cannot access the one with the private key. - Another key pair in the reverse direction is required for this functionality.
But user accounts on multiple machines or multiple user accounts on one machine all with the same public key can be accessed by the private key holder.
Clear as mud ? - It took me a while to get my head around it. 
Hi Jim, no passkeys are not for SSH. They are a form of “passwordless” login for web applications.
I recently set one up for Amazon, because it prompted me to do so at some point. The setup with Safari was pretty painless. Now when I sign in, it asks me to scan a QR code with my mobile device rather than entering a password (or selecting a saved password from keychain).
I did a bit of googling.
Passkeys are an implementation of the same principle as SSH keys.
Your iCloud account keychain holds the private key and your various on line accounts hold copies of the public key.
Your iCloud account will be secured by 2FA to stop anyone accessing the private key with just an iCloud password. (with ssh keys the private key is stored in your user directory on your mac, pc or linux box . - so physical access to the machine and / or credentials to get into your account are needed to access it.)
Bottom line is no passwords are sent over the internet, nor stored on a remote server that might be hacked, in both implementations.
The public key is useless on its own.