[jesseendahl]

> Isn’t the whole point of a passkey that it’s meant to use a chain of trust to prove that you’re you via biometrics or a physical factor?

No actually! The biometric auth is more of a “liveness check” than anything else.

The point of passkeys is to replace the primary factor — the password — with a new primary factor that isn’t fundamentally “broken” in the ways passwords are. Password hashes can be stolen from servers, users frequently reuse them across different services, they are frequently very weak, and they are phishable. In contrast passkeys are guaranteed to be strong, unique, and there is nothing worth stealing from servers for attackers (only a public key).

[reshlo]

Many websites are using passkeys not as a primary factor, but as the second factor, or as both factors. That implies that they are meant to serve as some combination of “something you are” and “something you have”. The fact that you logged in with one by using biometrics proves both that you are you and that you have your phone. They’re certainly not “something you know” because they are designed specifically so that you are not allowed to know them.

Allowing both “something you are” and “something you have” to be reset simultaneously via proof only of “something you know” (the password to your email account) means that once that reset happens, you’ve gone from two or three factors to one factor.

Allowing passkeys to be reset by email is not compatible with using them as anything other than the primary factor. If you’re using them as both factors, you’d get equivalent security if you implemented sign-in via only magic links. If you’re using them as the second factor along with a password, but you allow them to be reset via email, you actually only have one factor.