hertg, Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).
How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.
#passwords #fido #fido2 #webauthn #identitymanagement #iam #oauth #openid
Add comment