• Passkeys are indeed only the first factor. A second factor could be a(n unrelated) password, or raw biometric data.

    The traditional authentication factors (something you know, something you have, something you are) still work like they used to. Passkeys use the “something you have” factor by default.

    The “something you are” factor (biometrics) isn’t commonly used, because most services actually use a stored secret that gets unlocked through biometric rather than biometrics data directly; any fingerprint login is just a public/private key in implementation, except the hardware is supposed to not use that key unless the biometrics sensor validates you.

    Theoretically you could achieve the same factor as passkeys by logging in through username + TOTP code, because TOTP codes are only supposed to be generated on a dedicated device you have.

    With some implementations of passkeys, the factor becomes a bit ambiguous. For example, a synchronised passkey behind just a password might as well be a password, albeit for a different service.

    For traditional passkey storage (a TPM, a Yubikey), this isn’t a problem of course.

    • Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      The second factor doesn’t necessarily exist, since you’ve moved all of that to the client side now. It entirely depends on implementation and that the implementation is done correctly and is honest. The server only knows that you have the key, it’s single factor authentication.

      In the past, it verifies that I know the password and that I have a key on the server side through separate challenges.

      It’s still way better than username / password, it just has new (more difficult) vulnerabilities.