@nanook yeah but the email and/or sms msg to phone option is to give you a 6 digit code that expires in 10 minutes to confirm your login with.

Given that an email can easily be hijacked and an SMS slightly less easy, plus baddies need to know the association to your login, adding a 10 minute window of opportunity to it all helps reduce some of your attack exposure. Lame but there it is. PassKey looks like public key shit to be exploited later once it gets seriously baddie studied.

@nanook @klaatu And not everyone has a yubikey either, dude.

What I want to know is what was being "secured" with this circus of steps.

In my experience, it's usually it's a forum login or some "account" that a website like github or discord or twitter that requires YOU to be 100% cryptographically secure before you're allowed to download an image or open-source plugin or something, while they're having data breaches every five minutes because Silicon Valley doesn't play by their own rules.

I want high security on my bank account. I don't need 2FA yubikey SMS pain-in-the-ass credential fuckery on the vast majority of "accounts" that every damn website in existence wants a person to create just because they want to enable ad tracking.

@nanook @klaatu Obviously, the independent or 3rd-party solutions aren't attractive to the big platform vendors like Apple or Microsoft, who push hard for 2FA as a transparent lock-in ploy.

Their marketing says "no passwords", but their implementation is that most of the bits of the password is stored in a device that they control, meaning you lose all of your access if you ever try to switch platforms.

Yubikey is the same thing, but at least you control the device.