What am I missing with passkeys?

XIII said: Actually passkeys can still be 2FA, if the RP (relying party) requires User Verification (biometric or PIN)

That type of second factor is great and I'm all for it, but it's just a question of semantics -- that second factor is simply some additional protection on the private key so that it can't be easily reused like a lost house key found lying on the ground. It's not the same as the legacy password system where the "something you know" part has no connection to the "something you have" part.

My point is still the same: using something like 1password with high entropy site passwords, a high entropy One Password, and traditional 2FA is great, and (IMO) equally secure as passkeys. But it's no more secure, and suffers from the flaw that it can easily be less secure.

lodaka The problem is that using 1password plus yubikey is no longer "something you know + something you have", it's two "something you haves" since 1password is "something you have". So at that point we're just talking about redudancy, which is a burden on most people and comes with its own flaws. (Like easily being able to lock yourself out.) But sure, if FIDO wants to add formal, optional support for requiring two separate passkeys to log into a site, so that a user would require two "something you haves" like the double-keyed missile launcher in War Games, then maybe that will become a thing one day.