I don’t usually refer to Wirecutter for digital sovereignty advice, but I was really impressed by this post which for the first time (to me, anyway) brought together everything in one place everything we all should know about passkeys vs passwords. I recommend clicking through to read it!
I use nextcloud passwords which is a perfectly serviceable password manager that can be easily added to a digitally sovereign nextcloud, with excellent apps for managing and accessing passwords on mobile devices and firefox.
It mentions yubikeys which NGO Information Sharing and Analysis Center (NGO-ISAC) gave out at the https://www.nten.org/ conference in Detroit this year. I picked one up but have to admit I have not taken the time to set it up yet! 
For 15 years, experts have told me that passwords are the biggest problem with online security and that’s just the way it is. The passwords that people make up are easily guessed by machines, and the ones that can’t be guessed are too hard to remember.
Over time, as more and more passwords became necessary, many people simply recycled theirs across different accounts — creating a precarious situation where one phished password or data breach gave an attacker access to the victims’ email, bank accounts, and anything else that shared that password.
Then came password managers, services and software in which a person could safely store all of their complex passwords and thus need to remember only a single password: the password for their password manager. This technology addressed, but didn’t solve, some of the problems. If people put in the effort, they could eventually have unique and complex passwords everywhere. But the majority of people did not opt to take on this herculean task that brought no immediate reward except that (maybe) in the future something bad might not happen to them (possibly). And a smart attacker could just phish even the best passwords anyway.
Two-factor authentication was the next bandage on the gaping wound of passwords. With 2FA protecting you, an attacker could have your password but wouldn’t be able to use it without a second confirmation, such as a code generated by an app or sent by text message. But another hoop to jump through for logging in remains a hard sell. And a smart attacker could just (you guessed it) phish most forms of 2FA anyway.
But passkeys are different. Instead of trying to fix unfixable passwords, passkeys are an entirely new technology that securely logs you in without your needing to remember your password or to perform a 2FA ritual. Passkeys are not perfect, and we’re still a ways off from their being commonplace, but learning what a passkey is and how to use it moves you a little closer to a more secure future
