Comment by lxgr
1 day ago
Passkeys can absolutely constitute two factors. At least the iOS and Android default implementations back user verification (which the website/relying party can explicitly request) with biometric authentication, which together with device possession makes them two factor.
That's not what two-factor means. Forget about passkeys -- if you use a password manager, and that password manager has a biometric lock, your accounts don't thereby have a biometric lock as a second factor. The transitive property doesn't apply here.
I’d say it does apply transitively, but only if the weakest link itself is also strong enough, and passwords are not.
And even a passkey on a phone that doesn't require authentication is immune to remote phishing and cloning.