Passkeys ❤️
If they arent on a USB stick, protected against being copied, they are only a single factor that instill false safety.
Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.
The best I’ve seen was yesterday where a website had the log-in button greyed out after the password manager filled my creds in.
So I had to manually click both the email and password field. Just click them. Then it enabled the log-in button.
So someone took their time to write a piece of JS that said “If the user hasn’t focused both fields at least once, no login”. Literally why? Extra code that does nothing useful.
I was hoping passkeys would be the solution to this madness, but it seems to me the entire spec gives too much power to the OS Makers and too little to the users because “mUh AtTtEsTatIoN” so now I don’t know anymore
They inevitably didn’t write it for that reason. They wrote it to say the field is invalid until the user changes it to be valid after someone landed on the page holding the enter key down and instantly locked themselves out after submitting the form 50 times in 3 seconds.
Unless you know otherwise, it’s easy to think that “form interaction” is the same as “form changed”, and one of those is much easier to check.I’m unsure what you mean about passkeys. I don’t think I’ve heard anyone mention significant concessions to os makers and I’m pretty tuned in on the topic.
