Solved: Re: Passkeys not recognized as a second factor?

chrismc · 01-23-2025 12:33 PM

We are experimenting with using passkeys as a second factor. However, the user interface seems to be indicating that a passkey is not an acceptable second factor.

The images below were presented to me on one screen after I added a passkey as a second factor.

To me, since the passkey was added, there should not be the error message in red at the top of the screen and there should be a "green checkmark" next to "passkeys and security keys".

What do you all think?

chrismc

Thanks for the suggestion, @StephenHind. I logged a case and it has been identified as a bug.

View solution in original post

composedmove

Having the same issue here. While testing I was able to get it to work by adding both a passkey and a security key. Once I did that I could enable 2FA, then while 2FA was enabled I was able to remove all but the passkey and it didn't complain.

StephenHind

I'm under the impression that passkeys are a replacement to your password, and (eventually, once it's out of beta) using a passkey will remove the need for a second step; this is why it's not an option for a second step.

composedmove

Yeah I was thinking that might be the case, I just wish it was documented more explicitly.

Ideally I'm looking for a configuration for specific users at higher risk of phishing, so I'd like to avoid SMS and other flows where they can be socially engineered to share a code, but without deploying hw security keys.

The idea of going passkey only makes sense but it's going to be hard to consider dropping 2FA 🙂

StephenHind

@composedmove have you looked at Google's Advanced Protection Program

composedmove

Yup. Generally I have felt it was probably overkill for the use case I have in mind but I'll take another look, thx

chrismc

Just checking back in on this. I guess the better question is "What's the best way to report a bug to Google?"

StephenHind

@chrismc I'm not sure what the bug is as passkeys aren't meant to be a second factor.

If you want to raise an issue with Google then Create a support case.

chrismc

Aren't they meant? But they are used as a second factor all the time.

StephenHind

You may be able to use it as a fallback, but to get setup you need to have one of the regular second factors i.e. a mobile phone or organisation issued security key first, then authenticator etc as secondary methonds.

chrismc

Thanks for the suggestion, @StephenHind. I logged a case and it has been identified as a bug.