The author shares insights gained from developing passkeybot.com, which simplifies the integration of passkey authentication into websites. A key component is the Secure Enclave Processor (SEP) found in Apple devices, which securely manages cryptographic keys. The SEP creates secrets that remain isolated from the main operating system, enhancing security during user authentication. The distinction between User Presence (UP) and User Verification (UV) is also important: while UP indicates a user was present by tapping a button, UV confirms identity through biometric or passcode input. Authenticators, whether hardware or software, are responsible for generating and signing passkey challenges. The browser interacts with these authenticators through APIs, ensuring compatibility across different devices. Attestation is another critical aspect, validating the hardware used to create the passkey. However, it can lead to privacy issues since it may allow fingerprinting of users' devices. Attestation is only verified during the creation of the key pair, so if keys are synced across devices, the original attestation becomes invalid. The article highlights security concerns regarding compromised JavaScript code on websites. If an attacker gains access, they could trick users into signing unauthorized transactions. The author suggests that authenticators could improve security by verifying the integrity of the HTML and JavaScript loaded on the page. New developments, like the "immediate mediation" API in Chrome, aim to streamline user sign-ins by quickly determining the presence of local keys without unnecessary user interactions. Other features discussed include Related Origin Requests for managing passkeys across domains and the use of Bluetooth Low Energy for signing in on public computers without exposing keys.