Here is where I fall off the boat. If we learned EXACTLY ONE THING from the Crypto Coin world it was this, if you put something valuable on your computer or your phone, PEOPLE WILL WORK DILIGENTLY TO STEAL IT. Often in creative ways like otherwise silent drive by clickless exploits in browsers delivered by Ad Networks.
What part of "Good security is security where you don't get to run code on the device providing the security, ever." did they miss?
I am completely at a loss to explain this fail.
https://developer.apple.com/videos/play/wwdc2022/10092/
Most (not all, but most) of the criticisms I’ve seen of passkeys are a result of people making incorrect assumptions about the problems they were meant to solve.
For example, to solve password reuse, weak credentials, phishing, and credential theft from server breaches, you need easy to use, convenient WebAuthn credentials. The convenient part is that they are available on all your devices via secure (E2E encrypted) syncing.
The linked talk covers all of this in a lot more detail.
In theory, because most consumer-grade providers do offer some sync option which breaks the "100% hardware" guarantee and could allow malicious software to use this functionality to steal the raw key material for later offline use.
Passkeys are a slight upgrade in terms of security but a huge upgrade in terms of vendor lock-in and discouraging people from escaping whatever Big Tech walled garden they're currently in. That's why they're being pushed so hard.
So you don't use a password manager, and instead use the same password everywhere (or at most a few of them), along with the same email address (or perhaps a couple of them)? If so, you should be made aware of credential stuffing: https://en.wikipedia.org/wiki/Credential_stuffing
>What part of "Good security is security where you don't get to run code on the device providing the security, ever." did they miss?
You have misapprehended how Passkeys is implemented; the site you are accessing does not run code on your machine for Passkeys.
As an aside, the site requesting the Passkey is part of the signed response; in other words, malicious sites impersonating a site cannot cause your browser to generate a Passkey for the site they are impersonating.
If you are so worried about sites running code on your box, disable JavaScript entirely in your browser.
The good thing about passwords is that it just depend on your mind. You can travel through any country with hostile customs with empty pockets. No one can get your "authentication device" and there is not even a proof that you have an account on any website. Or that you don't have multiple of them.
It's true that unsynced/hardware-bound credentials can help mitigate such attacks, but they cannot prevent it. The primary threat model of Passkeys is password theft via phishing, reuse, server-side compromise, etc.
If you want to use a USB security key, you still can--Passkeys do not take away from that. But most people are unwilling to go buy a USB key or carry one around, which is where Passkeys--arguably a bit less secure, but far better than the passwords they replace--are still a great step forward.