You can hear a lot of voices on the internet praising passkeys as the future and the end of all/most passwords. As longs as they are seen as secure, I suppose.

Agreed. Then you realise for Microsoft passkey access relies on a simple 12345 PIN that people usually set (for convenience), at which point the whole security crumbles 🙂

---

@cosminm wrote:

... passkey access relies on a simple 12345 PIN  

The PIN is local to the device, greatly shrinking the attack surface and making it trivial to level-up to a more secure credential after too many failed attempts.  Similar to how your phone requires a password instead of pin/face-ID after a reboot.

The real beauty of passkeys is that they rely on public-key cryptography, rather than a user-chosen shared-secret.  This offers a bunch of benefits:

1. Users do not have the opportunity to use the same password across multiple sites, nor can they chose weak passwords.
2. It frees users from ineffective and inconsistent password complexity rules.
3. The private key is not transmitted over the Internet, making it impractical for an adversary-in-the-middle to harvest credentials for later use.
4. The private key is never on the (web-) server, rendering its account database an insufficient place to steal credentials.
5. The passkey itself is "something you have", meaning that if access to the passkey is protected by a PIN, password or biometrics, one has achieved multi-factor-authentication. 
6. The private key can be stored in hardware, making the passkey compliant with AAL3, NIST's strongest authentication level.