Remix.run Logo
lxgr 3 hours ago

Passkeys can absolutely constitute two factors. At least the iOS and Android default implementations back user verification (which the website/relying party can explicitly request) with biometric authentication, which together with device possession makes them two factor.

FreakLegion 2 hours ago | parent [-]

That's not what two-factor means. Forget about passkeys -- if you use a password manager, and that password manager has a biometric lock, your accounts don't thereby have a biometric lock as a second factor. The transitive property doesn't apply here.

lxgr 39 minutes ago | parent [-]

I’d say it does apply transitively, but only if the weakest link itself is also strong enough, and passwords are not.