[rawfan]

We‘re using a FIDO2 security key as a passkey. Corporate policies force our users to also password-protect these.

So whenever people authenticate using a FIDO2 key as their passkey, they also need to enter its password.

The benefit of passkeys are:

- the Webapps only store a specific public key instead of a hashed password

- a direct connection is necessary for the challenge/response flow so that phishing attacks or MITM are impossible (AFAIK)

[acdha]

That last part is huge: the FIDO-2/WebAuthn protocol includes the hostname so there’s no way to have a challenge from server A get a response which could be used on server B. That alone is worth the switch since so many people get painfully phished into entering an important password on the attacker’s server.