|
|
|
|
|
|
by reshlo
608 days ago
|
|
|
Many websites are using passkeys not as a primary factor, but as the second factor, or as both factors. That implies that they are meant to serve as some combination of “something you are” and “something you have”. The fact that you logged in with one by using biometrics proves both that you are you and that you have your phone. They’re certainly not “something you know” because they are designed specifically so that you are not allowed to know them. Allowing both “something you are” and “something you have” to be reset simultaneously via proof only of “something you know” (the password to your email account) means that once that reset happens, you’ve gone from two or three factors to one factor. Allowing passkeys to be reset by email is not compatible with using them as anything other than the primary factor. If you’re using them as both factors, you’d get equivalent security if you implemented sign-in via only magic links. If you’re using them as the second factor along with a password, but you allow them to be reset via email, you actually only have one factor. |
|
|