> Now with passkeys, it seems we are just throwing all those arguments overboard and are saying 1 factor (something you have, e.g. hardware device) is enough.
That was my initial reaction too. I think the assumption is that the second factor is what-ever you use to unlock your device (a “something you know” if that is a password/pasphrase or “something you are” if that is biometrics).
I'm not convinced any of it is as more secure than user+pass as is being claimed. passkeys being device/AU dependent adds a bit of hardship to someone trying to hack your account, but people seem to be suggesting sharing passkeys between devices/AUs using their pasword managers which nullifies that effect?
That was my initial reaction too. I think the assumption is that the second factor is what-ever you use to unlock your device (a “something you know” if that is a password/pasphrase or “something you are” if that is biometrics).
I'm not convinced any of it is as more secure than user+pass as is being claimed. passkeys being device/AU dependent adds a bit of hardship to someone trying to hack your account, but people seem to be suggesting sharing passkeys between devices/AUs using their pasword managers which nullifies that effect?