|
|
|
|
|
|
by michaelt
978 days ago
|
|
|
> Why would SMS OTP be used? 100% of accounts today will already have a password, that's how you would login if you lose your only passkey device. > If/When passwords are not a thing anymore then why wouldn't the recovery use a "lost password" type flow that happens is facilitated via the account email? Well, passkeys are descended from FIDO/U2F keys, which have traditionally been used for "two factor authentication" - by confirming both 'something you have' and 'something you know' your account is protected if someone has shoulder-surfed your password, or stolen your phone, or hacked your e-mail, or whatever. And FIDO/U2F keys kinda a hassle, so they're only used by the most security-conscious people in the most security-critical situations. For these people, a recovery mechanism that falls back to a single factor (password-only login, e-mail only login) is a big weakness, security-wise. |
|
|