upvote

points

by FreakLegion17 hours ago |
comments
upvoteby lxgr16 hours ago|
next
[-]
Passkeys can absolutely constitute two factors. At least the iOS and Android default implementations back user verification (which the website/relying party can explicitly request) with biometric authentication, which together with device possession makes them two factor.
reply
upvoteby FreakLegion14 hours ago|
parent|
next
[-]
That's not what two-factor means. Forget about passkeys -- if you use a password manager, and that password manager has a biometric lock, your accounts don't thereby have a biometric lock as a second factor. The transitive property doesn't apply here.
reply
upvoteby lxgr13 hours ago|
parent|
[-]
I’d say it does apply transitively, but only if the weakest link itself is also strong enough, and passwords are not.
reply
upvoteby UltraSane6 hours ago|
parent|
prev|
[-]
And even a passkey on a phone that doesn't require authentication is immune to remote phishing and cloning.
reply
upvoteby embedding-shape16 hours ago|
prev|
[-]
Someone gotta tell all these SaaS about that if so, because currently everyone is treating Passkeys as an alternative to 2FA. Take a look at how GitHub handles it for example when you use TOTP, they'll ask you to replace TOTP with passkeys.
reply
upvoteby FreakLegion3 hours ago|
parent|
next
[-]
They are an alternative to 2FA. Which means they aren't 2FA. If they were 2FA, they wouldn't be an alternative to 2FA. They'd just be 2FA.

Anyway, passkeys and FIDO broadly aren't the same thing. You can read the definition of passkeys at https://fidoalliance.org/passkeys/ or look at any of the marketing, which invariably talks about how great it is that you don't have to futz with passwords anymore.

FIDO credentials in general can obviously also be used as second factors. This is baked into the name of the original standard: U2F, Universal 2nd Factor. The specific point of passkeys though is that they're the single factor.

reply
upvoteby vladvasiliu16 hours ago|
parent|
prev|
[-]
Many do what you describe, probably because some manager somewhere needs to tick some checkbox.

But GitHub, specifically, allows you to sign in with a passkey. On the sign-in page, there's a "sign in with passkey" link. It activates my 1Password extension, asking if I want to use my passkey. I say yes, and I'm in, I don't type anything. This also works the same way with my YubiKey.

reply