Sharing a blog I wrote giving a crude demo for how to bootstrap a passkey only login flow for a web app. Hoping it gives you all inspiration to push towards passkeys and OIDC because everyone still screws up MFA when applied at large enough scales.
In one step, Passkeys provide multiple forms of authentication including:
* FIDO2 based credential
* Origin verification of the requesting web app by the Platform Authenticator (this part makes them phish resistant)
* user password, because you had to unlock the platform authenticator in the first place
* device authentication, because the passkeys are stored within device bound platform authenticators
Don't let your lazy compliance people tell you passkeys aren't MFA.
In one step, Passkeys provide multiple forms of authentication including:
* FIDO2 based credential * Origin verification of the requesting web app by the Platform Authenticator (this part makes them phish resistant) * user password, because you had to unlock the platform authenticator in the first place * device authentication, because the passkeys are stored within device bound platform authenticators
Don't let your lazy compliance people tell you passkeys aren't MFA.