[jamesmotherway]

Hardware keys and passkeys are better because they can't be phished. In the case of hardware keys, one should register multiple to prevent lockout. Most implementations of passkeys seem to be portable, letting them exist on multiple devices (something that gives me pause).

If an adversary can successfully phish someone, they can often also trick them into providing TOTP codes or approving push notifications. However, TOTP remains significantly better than the alternatives, as it prevents credential stuffing attacks and SMS-related compromises while potentially limiting any account breach to a single session.

[crazygringo]

> Hardware keys and passkeys are better because they can't be phished.

I think you're missing the point I made -- that because of the way sites are currently set up, your password can be phished even if you have a passkey, and your password is good enough to get you in.

So given that that is the current state of things, isn't TOTP better because it prevents this? Because at least the TOTP won't let an adversary get in a second time.

[jamesmotherway]

Sorry, I overlooked part of your post earlier - I'm tired. As I previously alluded to, I don't use passkeys due to concerns about their implementation. Whether passkeys are better than TOTP really depends on the individual user's circumstances.

Which service is it? Do they ever use that password?

If I were used to signing in with a passkey, I'd find a password prompt suspicious. While the average person might not, it's also possible they would have forgotten the password entirely. There are other services that force TOTP even with hardware keys enrolled. Technically they can be phished, but it would not be successful in all cases.

Unfortunately, varying behavior and support for multifactor protocols (along with risky reset flows) makes it hard to give blanket recommendations.