Typically, no. You’re thinking of TOTP/Authenticator based 2FA. Those still come with backup codes in case you break the phone that has the TOTP codes warehoused. I always recommend keeping those backup codes saved in the notes of whatever password manager you’re hopefully using.
Passkeys are essentially just one half of a cryptographic key pair (like what you’d use for authenticating SSH without passwords). These allow you to authenticate once using password + 2FA, then use the generated passkey for future sessions. Since these are much more complex than passwords and remove the need to actually remember anything, they are significantly more secure.
There are also some other features that I’m forgetting, and that may not be a perfectly accurate description, but I think you can get the gist.
Passkeys are supposed to be bound to one device and protected by that device’s OS’s secure enclave. If you have a second device you’re supposed to create a second passkey.
That’s why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn’t fit the security model.
Yeah, that’s how I understood it to work, as well. I didn’t mention it because I’ve seen a bunch of different implementations that don’t seem to work that way. I didn’t want to speak too much on that specific point, since I don’t have a very thorough understanding of it.
I always recommend keeping those backup codes saved in the notes of whatever password manager you’re hopefully using
Wouldn’t this undo some of the security of even having 2FA? If your password manager was somehow breached the attacker would have all your passwords and your 2FA codes, right?
Typically, no. You’re thinking of TOTP/Authenticator based 2FA. Those still come with backup codes in case you break the phone that has the TOTP codes warehoused. I always recommend keeping those backup codes saved in the notes of whatever password manager you’re hopefully using.
Passkeys are essentially just one half of a cryptographic key pair (like what you’d use for authenticating SSH without passwords). These allow you to authenticate once using password + 2FA, then use the generated passkey for future sessions. Since these are much more complex than passwords and remove the need to actually remember anything, they are significantly more secure.
There are also some other features that I’m forgetting, and that may not be a perfectly accurate description, but I think you can get the gist.
Passkeys are supposed to be bound to one device and protected by that device’s OS’s secure enclave. If you have a second device you’re supposed to create a second passkey.
That’s why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn’t fit the security model.
Yeah, that’s how I understood it to work, as well. I didn’t mention it because I’ve seen a bunch of different implementations that don’t seem to work that way. I didn’t want to speak too much on that specific point, since I don’t have a very thorough understanding of it.
Wouldn’t this undo some of the security of even having 2FA? If your password manager was somehow breached the attacker would have all your passwords and your 2FA codes, right?