I just tried this out with Github. My passkey lives in 1Password so it’s backed up and synced across devices. It also lets me sign in with normal MFA/TOTP if I don’t have the passkey, or use a recovery code. Incidentally @brian@programming.dev this is working in Firefox now.
Passkeys use a challenge/response protocol that doesn’t transmit any actual secrets. This makes them phishing resistant as you can’t just “type in your passkey secret” it gitnub .com
I just tried this out with Github. My passkey lives in 1Password so it’s backed up and synced across devices. It also lets me sign in with normal MFA/TOTP if I don’t have the passkey, or use a recovery code. Incidentally @brian@programming.dev this is working in Firefox now.
So, it’s just a password with a different name.
Seriously, what is the functional difference between this and stricter password requirements? I don’t see it.
Passkeys use a challenge/response protocol that doesn’t transmit any actual secrets. This makes them phishing resistant as you can’t just “type in your passkey secret” it gitnub .com