Depending on the security needs using hardware based security as a second factor while still requiring some other form of auth is not actually a bad idea.
Public key cryptography tied to physical hardware, so if you lose your phone / usb key, you need to use your backup recovery code; a fairly short one time password that negates the security benefits of Fido in one easy step.
It can also use biometrics, but that requires every device you log in on to have biometric readers.
I love FIDO logins and next to fucking no one implements them :(
Absolutely 100%. Click login, accept passkey signature, logged in. This is the way to go
And when they do they only offer them as the second factor.
Yes, let me first input my password (from a password manager), the let me approve with a passkey that is meant to make my password not necessary.
But email based login: FUCK THAT SHIT.
I actually prefer using FIDO2 as a second factor only cos I use YubiKey which can only store 100 RKs.
Depending on the security needs using hardware based security as a second factor while still requiring some other form of auth is not actually a bad idea.
What are they?
Public key cryptography tied to physical hardware, so if you lose your phone / usb key, you need to use your backup recovery code; a fairly short one time password that negates the security benefits of Fido in one easy step.
It can also use biometrics, but that requires every device you log in on to have biometric readers.
Or you could use multiple fido key’s as backups