[PassageNick]

Passwordless is MFA -- something you are and something you have.

I'm not a yubikey expert, but I don't believe that losing your Yubikey will open up your company to a breach.

For a typical passwordless solution, losing your phone isn't a risk, given that no one can reproduce your face or thumbprint.

[_8j50]

Your face and thumbprint can easily be reproduced. There is even a guy that took a photo of a politicians' finger from a mile away and used that to forge their fingerprint. Even without going technical your dopplegangers can bypass face auth lol. You can guess spray pins and push notification codes. The one thing you can count on is someone will find a way around any good passwordless solution. For example, there is a "rdp in browser" phishing where a browser in the attackers vm does the actual auth but the user thinks it is in their browser so most passwordless methods are defeated by cookie theft like that.

[PassageNick]

If you can take a photograph of someone's fingerprint and reproduce it, how, exactly, does one use that?

[PassageNick]

....and can you explain the cookie theft thing a bit more?