| ▲ | FreakLegion 4 hours ago |
| Passkeys are meant to replace passwords. Not being second factors is the point. |
|
| ▲ | lxgr 3 hours ago | parent | next [-] |
| Passkeys can absolutely constitute two factors. At least the iOS and Android default implementations back user verification (which the website/relying party can explicitly request) with biometric authentication, which together with device possession makes them two factor. |
| |
| ▲ | FreakLegion 2 hours ago | parent [-] | | That's not what two-factor means. Forget about passkeys -- if you use a password manager, and that password manager has a biometric lock, your accounts don't thereby have a biometric lock as a second factor. The transitive property doesn't apply here. | | |
| ▲ | lxgr 42 minutes ago | parent [-] | | I’d say it does apply transitively, but only if the weakest link itself is also strong enough, and passwords are not. |
|
|
|
| ▲ | embedding-shape 3 hours ago | parent | prev [-] |
| Someone gotta tell all these SaaS about that if so, because currently everyone is treating Passkeys as an alternative to 2FA. Take a look at how GitHub handles it for example when you use TOTP, they'll ask you to replace TOTP with passkeys. |
| |
| ▲ | vladvasiliu 3 hours ago | parent [-] | | Many do what you describe, probably because some manager somewhere needs to tick some checkbox. But GitHub, specifically, allows you to sign in with a passkey. On the sign-in page, there's a "sign in with passkey" link. It activates my 1Password extension, asking if I want to use my passkey. I say yes, and I'm in, I don't type anything. This also works the same way with my YubiKey. |
|
