Website wants you to make a passkey, go to login but the entry form only accepts the user name, then you have to click next to password which may or may not accept the passkey.

[–] Appoxo@lemmy.dbzer0.com 4 points 17 hours ago (1 children)

If they arent on a USB stick, protected against being copied, they are only a single factor that instill false safety.

[–] ricecake@sh.itjust.works 2 points 15 hours ago (1 children)

Depends on the system. The thing where your password manager is managing your passkeys? That's a single factor unless it's doing something tricky that none of them do.
When it's the tpm or a Bluetooth connection to your phone? That's actually two factors, and great.

[–] Appoxo@lemmy.dbzer0.com -1 points 9 hours ago (1 children)

Can it be copied from your phone? (e.g. by migrating your phone via a backup)
Then it can be compromitted and is essentially a single factor (because some website permit you to login via the key only).
Only if you'd need to completetly renew the key, then it's truly secure.

[–] ricecake@sh.itjust.works 1 points 3 hours ago

There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.

Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.

[–] onlinepersona@programming.dev 1 points 13 hours ago

Is that FIDO? What's the difference?