Excellent work on Passkeys.
For context, I’m soon to release a Password Manager app that is built specifically for Apple devices only (iOS, iPadOS, macOS). A user’s vault items are encrypted on their own device and synced end-to-end encrypted via their own private iCloud database. As you’d expect, the app requires the user to enter their master password to unlock their vaults, and allows them to optionally enable Touch or Face ID for a passwordless unlock experience.
In this scenario where there is no third-party server involved, and auth takes place on-device only, is there any meaningful way an app like this can or should take advantage of Passkeys?
The only thing I can think of so far would be to allow the user to use a Passkey instead of a master password to unlock their vault. But aside from the convenience factor for the user in terms of UX, I’m not entirely sure I understand if there would be any major security advantage in doing so, over the app’s existing auth/unlock flow?
