(no title)

1. Advanced protection doesn't yet support passkeys. You must keep U2F in place for now. 2. If you have a U2F key configured on your account, Google will prompt you to use it as a passkey before telling you that it's not a passkey and you must login with your password. The net result is that anyone using phishing resistant MFA loses the ability to have their MFA step "remembered" on a device because Google will always prompt for the U2F factor before the password.

This aside, I've been doing a lot of testing with FIDO2 flows using security keys and passkeys across device types and platforms in preparation to roll out passwordless via Okta with a couple of smaller clients. Overall, I love the authentication flow, but there are a lot of gotchas to keep in mind. We've spent a considerable amount of time mapping out the happy path, creating onboarding resources, and documenting business continuity scenarios. The personal use case is actually more of a challenge in some ways, because you need to think about each service rather than just one IdP.

FYI, the easy path right now if you need to support multiple environments is to invest in 1Password or another password manager that supports passkeys. This provides the most consistent user experience and works across most platforms, though we're still having trouble with Android 14.

We're sticking to hardware keys for highly privileged accounts, so admins get a pair of FIDO2 keys. Everyone else gets one Yubikey, which serves as a backup if they lose access to their devices or need to login on an untrusted device. Android is also a problem here. Even in 14, it doesn't seem to support passwordless FIDO2 flows.