Solved: Passkeys not recognized as a second factor?

chrismc · 01-23-2025 12:33 PM

We are experimenting with using passkeys as a second factor. However, the user interface seems to be indicating that a passkey is not an acceptable second factor.

The images below were presented to me on one screen after I added a passkey as a second factor.

To me, since the passkey was added, there should not be the error message in red at the top of the screen and there should be a "green checkmark" next to "passkeys and security keys".

What do you all think?

chrismc

Thanks for the suggestion, @StephenHind. I logged a case and it has been identified as a bug.

View solution in original post

composedmove

Having the same issue here. While testing I was able to get it to work by adding both a passkey and a security key. Once I did that I could enable 2FA, then while 2FA was enabled I was able to remove all but the passkey and it didn't complain.

StephenHind

I'm under the impression that passkeys are a replacement to your password, and (eventually, once it's out of beta) using a passkey will remove the need for a second step; this is why it's not an option for a second step.

composedmove

Yeah I was thinking that might be the case, I just wish it was documented more explicitly.

Ideally I'm looking for a configuration for specific users at higher risk of phishing, so I'd like to avoid SMS and other flows where they can be socially engineered to share a code, but without deploying hw security keys.

The idea of going passkey only makes sense but it's going to be hard to consider dropping 2FA 🙂

StephenHind

@composedmove have you looked at Google's Advanced Protection Program

composedmove

Yup. Generally I have felt it was probably overkill for the use case I have in mind but I'll take another look, thx

chrismc

Just checking back in on this. I guess the better question is "What's the best way to report a bug to Google?"

StephenHind

@chrismc I'm not sure what the bug is as passkeys aren't meant to be a second factor.

If you want to raise an issue with Google then Create a support case.

chrismc

Aren't they meant? But they are used as a second factor all the time.

StephenHind

You may be able to use it as a fallback, but to get setup you need to have one of the regular second factors i.e. a mobile phone or organisation issued security key first, then authenticator etc as secondary methonds.

chrismc

Thanks for the suggestion, @StephenHind. I logged a case and it has been identified as a bug.

davidcraig

Hi Chris — Thank you for your informative posts here. Did this issue ever get sorted out fully? We're trying to decide in our organization whether we can safely turn on the setting for "security key only" to enforce mandatory passkey use for logins, without somehow locking people out in the process. Thank you for any insight you can share.

chrismc

Hi, @davidcraig. We are still piloting passkeys as the only 2SV method. We are using a google group to enforce this with about 40 users. Using the google group means that users don't have to unenroll other 2SV methods and therefore don't see the error messages. We have discovered several widely-used software apps (Adobe, MS Office installation, Cisco VPN, and others) that do not support passkeys, so it has delayed rolling this out further. Handing out security keys (which can generate one-time codes) or having those pilot users contact our service desk for a one-time code are the work-arounds. We are also hoping Google will update options and error messages in the near future.

davidcraig

Thank you, Chris; much appreciated.