authentication – Can Passkeys act as FIDO2 U2F devices, replacing YubiKeys?


To put it more precisely, can Apple’s new Passkeys feature allow Apple devices to basically use their built-in Secure Enclaves like built-in U2F devices, replacing external USB security dongles like YubiKeys? So your two factor authentication (2FA) factors become “something you have” (an Apple device with your Passkey private keys in the Secure Enclave), and “something you are” (your face/fingerprint biometrics)?

I seem to recall that the new Passkeys feature that Apple announced at WWDC 2022 to be in Apple’s Fall 2022 OS updates (iOS 16, macOS 13 Ventura, Safari 16, etc.) seems to be built, at least in part, on industry standard authentication schemes such as FIDO2.

I know FIDO2 is what allows “Universal Second Factor” (U2F) devices like YubiKey USB dongles to work as a physical multifactor authentication (MFA) devices.

Putting those two things together, does that mean that the Passkeys feature will allow me to use my Apple devices (via FaceID/TouchID and Secure Enclave) as FIDO2 U2F devices, obviating the need for dedicated U2F USB dongles such as YubiKeys?

For a concrete example, when signing into Amazon Web Services (AWS), one option for MFA is to use FIDO2 to support things like YubiKeys; this keeps you from needing to hassle with getting a 6-digit TOTP code from an Authenticator apps, or using insecure SMS to get a code sent to you. I’m hoping I’ll be able to select that MFA method on AWS but set it up to use Passkeys instead of needing a YubiKey.