After I set up passkeys on my Google account and not getting prompted for my Yubikey as a second factor I posed the following question on mastodon the other day about passkeys:

“#Passkeys question, I have Yubikeys set as the second factor on numerous accounts. What if I want to use passkey for those accounts stored on a Yubikey, will using passkey mean I need an OTP code or have to use a different Yubikey? Or will passkeys eliminate the second factor as it has seemed to do with my Google account, I just signed in using a passkey and wasn’t asked for my second factor. I should have really done far more reading on this matter.”

I had some suggestions (some assumption about my age too, “Some of you don’t remember a time without 2FA”, my man I first used 2FA back in 1999 to get onto the corporate VPN over dial up, it was a dongle about the size of an AirPod case) about the how and why but nothing from anyone in the know or anything pointing me in the right direction, so I’ve done what I should of done before enabling Google’s passkeys implementation on my account, actually read up on them

First thing I learned, which is obvious in hindsight, passkeys are 2FA in themselves. this is explained in Googles documentation. On Android and iOS device as the key itself is one factor, something you have. The biometric identification whether that’s a fingerprint or Face ID, is the second factor, something you are. So that makes sense for 2FA replacement.

Next I wanted to know about using a passkey with a security key, how would you implement 2FA then. Unfortunately I can’t set up one of my Yubikeys with Googles passkeys or find any documentation on it. I also can’t set it to be used as the something I have within Google security settings. The guidance on using security keys with passkeys is not there yet either, the passkeys site says it’s coming soon and Google doesn’t have any. I think this is because the big roll out at present is focused on the consumer centric iteration and not the business corporate security centric version. Things like non-synchronised passkeys, security keys as second/third factor authentication are there in the WebAthen documentation just not focused on explaining in a less technical manor, or from what I can see implemented in Googles or Apples current itteration of passkeys. I haven’t looked into Micrsofts rollout yet, thought I don’t think their even as far ahead as Google and Apple are, and I am frankly not reading Microsoft documentaion on my own time.

I may dig into the full documentation about it but a lot of it is beyond my understanding as it goes into the technical details and specifications which is more information than I need or wish to understand on the matter. So I will more than likely wait for the end user guidance when it comes out.

Googles passkeys explainer.
Googles passkeys FAQ
FIDO Alliance passkeys FAQ
W3C technical documentaiont on WebAuthenticaion