Are passkeys a secure replacement for 2FA?
Passkeys seems great for me as an individual, instead of passwords and TOTP tokens I can now slowly ditch the passwords and the somewhat annoying (but important!) TOTP tokens which I have locked in my phone.
I have read that passkeys will be able to replace 2FA altogether, great! This also seems safe for me, the passkeys are stored safely on my phone and I have it with me everywhere and the use of the passkeys require a fingerprint before being used. But this only seems safe if I as an individual make sure to use trustworthy ways to store and manage my passkeys.
I develop a web application which requires password and 2FA (TOTP or SMS). I know neither of them are foolproof, hence the two-factor authentication. 2FA is not foolproof either, but much better than only one factor.
All my users are certainly not security aware on the web, but forcing them to 2FA makes it much better. I would like to offer them the simplicity together with the security passkeys are said to offer, even if passkeys are used as the only authentication factor.
But from a developers view, are passkeys actually as good as having 2FA? For many of the practical likely cases I would say yes, but since I as a developer cannot control how the user manage and stores he or hers passkeys, could not the security of the passkeys be the weakest link?
There are slowly coming support from password managers to handle passkeys, which are very good. But if a user uses a password manager for storing the passkeys, and choose to use only a really bad password for the password manager vault, then the passkey security seems to lose its "value".
Will passkeys actually be able to replace 2FA for application that requires high security for all users, or should passkeys be considered to be a good type of 2FA instead?
