A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
Passkeys are indeed only the first factor. A second factor could be a(n unrelated) password, or raw biometric data.
The traditional authentication factors (something you know, something you have, something you are) still work like they used to. Passkeys use the “something you have” factor by default.
The “something you are” factor (biometrics) isn’t commonly used, because most services actually use a stored secret that gets unlocked through biometric rather than biometrics data directly; any fingerprint login is just a public/private key in implementation, except the hardware is supposed to not use that key unless the biometrics sensor validates you.
Theoretically you could achieve the same factor as passkeys by logging in through username + TOTP code, because TOTP codes are only supposed to be generated on a dedicated device you have.
With some implementations of passkeys, the factor becomes a bit ambiguous. For example, a synchronised passkey behind just a password might as well be a password, albeit for a different service.
For traditional passkey storage (a TPM, a Yubikey), this isn’t a problem of course.
The second factor doesn’t necessarily exist, since you’ve moved all of that to the client side now. It entirely depends on implementation and that the implementation is done correctly and is honest. The server only knows that you have the key, it’s single factor authentication.
In the past, it verifies that I know the password and that I have a key on the server side through separate challenges.
It’s still way better than username / password, it just has new (more difficult) vulnerabilities.
This is where PAKE algorithms for secure password checks fits in
https://slrpnk.net/comment/3782237