[ents]

The demo is just using OTP sent to my email, which essentially makes my email a password manager, and now a much higher value target.

[georgyo]

Your email is already both the password and 2fa reset for the vast majority of services... including things like bank accounts.

Email access is basically total access.

[ents]

That's a good point. It's annoying to have to check email for a code for each login though, compared to 1Password autofill w/password and TOTP.

[FlxMgdnz]

Email OTP is just the fallback authentication method of the demo in case a user does not have access to the passkey(s) anymore. Depending on the real world scenario, fallback authentication may either be completely disabled as soon as passkeys are widely available, or protected by e.g. a Security Key or other 2FA methods.

[freeone3000]

There's a different user experience in Safari on Ventura -- it prompts for my TouchID.