[atoponce]

2FA is rife with problems. FIDO2/WebAuthn isn't tied to biometrics and can be inconvenient. TOTP can get out of sync and can be phished. Email can also be phished. Voice and SMS are vulnerable to SIM swaps. Now we're seeing that passkeys are horribly opaque without proper management and at risk of getting lost.

Le sigh.

[ivlad]

Passkeys are just software backed FIDO keys with no attestation and less features.

FIDO is flexible enough to distinguish userPresence (I.e., touching the key) from userVerification (commonly, entering a PIN), but this is only defined for physical keys IIRC.

[dragonwriter]

> FIDO2/WebAuthn isn't tied to biometrics

Good. Biometrics (“something you are”) aren’t a second factor.

[atoponce]

Biometrics aren't the second factor when using WebAuthn, the hardware security key is. But anyone with access to the security key can use the second factor. Biometrics would tie the key to you preventing them from being used by others. The best we have right now for unlocking the security key are PINs, AFAIK.

[sowbug]

All those problems are also true of 2FA's competition, which is plain old passwords. 2FA is progress. Don't let the perfect be the enemy of the good.