Let’s start with a smartphone. A user creates an account with a passkey for a service, that passkey gets stored on their smartphone, and they can use biometrics to sign in from then on. The private key is stored on the smartphone. Great.
But then how do you sign into that same service from a different device?
If it’s by using a password manager, some third party piece of software, How do you sign in on a device where you’re not allowed to install third party software?
I use 1Password as my Passkey holder so it’s device agnostic. But if 1Password ever pulls a LastPass, it won’t seem like a clever solution anymore.
1Password can’t fail that hard easily. They’ve done great write-ups to compare their architecture to that of LastPass. Long story short: it’s the secret key that protects you: https://blog.1password.com/what-the-secret-key-does/
If 1Password becomes annoying, you might want to consider Bitwarden, which, if worst comes to worst, you can host yourself. Unlike Keepass you don’t need to manually sync a password blob. However, that also means that if Bitwarden’s/your server is down, synchronising will be impossible.
We’re in the process of adopting BitWarden at my job. I’m liking it so far. Not enough to convince my family to switch (yet), but enough that I wouldn’t hesitate to jump over there if I needed to.
I would suggest to move to KeepassXC, which already shown that even when KeepassX was too slow to implement features the community was healthy enough to fork it and make it the main fork.
The wallet itself is nice, but managing the database transfers between devices isn’t really something I want to do manually, especially given that devices like Apple’s iPhones don’t support background syncing, crippling Syncthing clients, or alternatives
I’ve used it on a iPhome once with a Syncthing alternative client and some alternative Keepass app. It worked very well but it was only for a month or two and I don’t change passwords often so I might not realized that syncing doesn’t work well.