Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.
For instance, 1Password requires your secret key for initial login/setup on a device along with the username and password. After initial login/setup the secret key is no longer required, but you still need the password to access.
I’d call that a fair trade off. Someone would need to know my password and have unfettered access to my previously set up device to login, or they would need to know the secret key.
The secret key is not stored by 1Password (the company). If you store it in 1Password and the last device is lost/broken/stolen then your account is essentially dead. You have no way to get back in.
Can it be copied from your phone? (e.g. by migrating your phone via a backup)
Then it can be compromitted and is essentially a single factor (because some website permit you to login via the key only).
Only if you’d need to completetly renew the key, then it’s truly secure.
There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.
Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.
If they arent on a USB stick, protected against being copied, they are only a single factor that instill false safety.
Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.
I’m curious what you think tricky is?
For instance, 1Password requires your secret key for initial login/setup on a device along with the username and password. After initial login/setup the secret key is no longer required, but you still need the password to access.
I’d call that a fair trade off. Someone would need to know my password and have unfettered access to my previously set up device to login, or they would need to know the secret key.
The secret key is not stored by 1Password (the company). If you store it in 1Password and the last device is lost/broken/stolen then your account is essentially dead. You have no way to get back in.
Can it be copied from your phone? (e.g. by migrating your phone via a backup)
Then it can be compromitted and is essentially a single factor (because some website permit you to login via the key only).
Only if you’d need to completetly renew the key, then it’s truly secure.
There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.
Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.