Websites should not get to dictate my security model. I’ll accept annoying me about being less secure because I get that people are dumb, but you’ve gotta choose somehow! Also, any passkey is safer than a password, so that’s still BS.
The logic behind it is that a smartphone-bound passkey represents two factors of authentication: what you have (the phone) and who you are (the fingerprint used to unlock the phone’s passkey store).
Anything on a PC is easily copied and can only ever be safely assumed to represent one factor: what you know (the password to unlock your password manager). Thus the benefit of getting a two-factor authentication in one convenient step falls away.
Of course it’s still super annoying, especially if you don’t really trust your smartphone OS vendor and use a portable password manager already.
Websites should not get to dictate my security model. I’ll accept annoying me about being less secure because I get that people are dumb, but you’ve gotta choose somehow! Also, any passkey is safer than a password, so that’s still BS.
The logic behind it is that a smartphone-bound passkey represents two factors of authentication: what you have (the phone) and who you are (the fingerprint used to unlock the phone’s passkey store).
Anything on a PC is easily copied and can only ever be safely assumed to represent one factor: what you know (the password to unlock your password manager). Thus the benefit of getting a two-factor authentication in one convenient step falls away.
Of course it’s still super annoying, especially if you don’t really trust your smartphone OS vendor and use a portable password manager already.