top | item 40197131

(no title)

konha | 1 year ago

They can be. Depends on how the are implemented.

Passkeys can:

- Replace the whole login (including discovery of the user id)

- Just replace the password, after a user specified a user id

- Be used as a second factor just like TOTP

They are definitely more phishing resistant for what it’s worth, even if just used for MFA. TOTP codes can be copied manually by an unsuspecting user.

discuss

Raed667|1 year ago

Thanks for the clarification! Do you know if any services that implemented the full flow including the discovery of user id ?

stpn|1 year ago

We do this for https://tender.run - the feature is called conditional mediation / ui. I found this article[0] helpful for implementation.

[0]: https://web.dev/articles/passkey-form-autofill#fetch_a_chall...

mderazon|1 year ago

GitHub

ecesena|1 year ago