Sure, but passwords are still multiple-use, and sometimes auto-fill fails (often due to websites actively messing with it), requiring me to manually copy-paste the password and exposing me to phishing risk, or that of insecure/malicious applications on my system sniffing the clipboard.

> Can Apple allow existing password managers like Codebook to manage passkeys and synchronization locally?

Unfortunately not at the moment. There is some hope though, given that Apple has recently added a TOTP API for third-party authenticators, but I'm personally not holding my breath.

For those, Safari share sheet -> "Find in Codebook" = dialog with URL-matched credentials appearing first.

> insecure/malicious applications on my system sniffing the clipboard

iOS now requires interactive user consent for apps to Paste from clipboard.

Fortunately it does – a big security win. But unfortunately, macOS does not yet, and I'm copy-paste-ing passwords there more often.

I'm often wondering if drag and drop of text is actually more secure than the pasteboard?

WebAuthn is different:

1. The client (browser) knows which site is requesting credentials, which means a phishing site cannot ask for another legitimate site's credentials

2. Credentials are created as private keys and unique per-site.

3. The authentication protocol does not share secrets; it is based on public/private keys.

4. The authentication protocol involved indicates the requesting origin.

There are still vulnerabilities if you have compromised DNS or javascript on the site, but it is overall significantly stronger against phishing and credential reuse attacks than password managers could provide before - even those with browser integration.