alt Hacker NewsPasskeys can absolutely constitute two factors. At least the iOS and Android default implementations back user verification (which the website/relying party can explicitly request) with biometric authentication, which together with device possession makes them two factor.
Replies
UltraSane • yesterday at 8:10 PM
And even a passkey on a phone that doesn't require authentication is immune to remote phishing and cloning.
That's not what two-factor means. Forget about passkeys -- if you use a password manager, and that password manager has a biometric lock, your accounts don't thereby have a biometric lock as a second factor. The transitive property doesn't apply here.