Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.
For instance, 1Password requires your secret key for initial login/setup on a device along with the username and password. After initial login/setup the secret key is no longer required, but you still need the password to access.
I’d call that a fair trade off. Someone would need to know my password and have unfettered access to my previously set up device to login, or they would need to know the secret key.
The secret key is not stored by 1Password (the company). If you store it in 1Password and the last device is lost/broken/stolen then your account is essentially dead. You have no way to get back in.
It can totally be fine for your needs, and secure while it does so, and not be two factors.
It’s a question of what’s required for access. In this case, they would need your password and to have had some manner of device access at some point to steal the value used by 1password to verify you at one point had the secret key. Someone with a keylogger from a random untargeted malware infection could plausibly get sufficient information. It’s really good 1 factor.
To be two factor there would need to be a requirement for two factors to be demonstrated at auth time. For example, if 1password encrypted the passkeys in such a way that the passkey could not ever leave the device, like via certain types of hardware backed key storage, then unlocking the vault is proof of something you know, and the usage of the signature is proof you have the chip.
The trickery comes about in the techniques available to move the passkey between encrypted hardware devices without it ever being exposed or loosing the “device you control” assurances.
For the record, I use 1password. Just not for passkeys on desktop. I prefer the Bluetooth connection to my phone, since phones currently do a much better job providing uniform targets for what’s needed to provide the proper two factor for something like passkeys.
Can it be copied from your phone? (e.g. by migrating your phone via a backup)
Then it can be compromitted and is essentially a single factor (because some website permit you to login via the key only).
Only if you’d need to completetly renew the key, then it’s truly secure.
There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.
Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.
Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.
I’m curious what you think tricky is?
For instance, 1Password requires your secret key for initial login/setup on a device along with the username and password. After initial login/setup the secret key is no longer required, but you still need the password to access.
I’d call that a fair trade off. Someone would need to know my password and have unfettered access to my previously set up device to login, or they would need to know the secret key.
The secret key is not stored by 1Password (the company). If you store it in 1Password and the last device is lost/broken/stolen then your account is essentially dead. You have no way to get back in.
It can totally be fine for your needs, and secure while it does so, and not be two factors.
It’s a question of what’s required for access. In this case, they would need your password and to have had some manner of device access at some point to steal the value used by 1password to verify you at one point had the secret key. Someone with a keylogger from a random untargeted malware infection could plausibly get sufficient information. It’s really good 1 factor.
To be two factor there would need to be a requirement for two factors to be demonstrated at auth time. For example, if 1password encrypted the passkeys in such a way that the passkey could not ever leave the device, like via certain types of hardware backed key storage, then unlocking the vault is proof of something you know, and the usage of the signature is proof you have the chip.
The trickery comes about in the techniques available to move the passkey between encrypted hardware devices without it ever being exposed or loosing the “device you control” assurances.
For the record, I use 1password. Just not for passkeys on desktop. I prefer the Bluetooth connection to my phone, since phones currently do a much better job providing uniform targets for what’s needed to provide the proper two factor for something like passkeys.
Can it be copied from your phone? (e.g. by migrating your phone via a backup)
Then it can be compromitted and is essentially a single factor (because some website permit you to login via the key only).
Only if you’d need to completetly renew the key, then it’s truly secure.
There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.
Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.