Besides built-in platform authenticators, what hardware can act as a passkey/FIDO2 authenticator, and how can it also serve as a second factor?
A dedicated FIDO2 security key (a special USB stick, from ~30 euros as reported by the German computing magazine c't in 2023) can store passkeys; even on sites that don't support full passkey login, such a key can be registered as a phishing-resistant second factor.
The coverage in c't (a respected German computing magazine published by Heise) describes several authenticator options beyond the device's own chip:
- FIDO2 security keys ("Sicherheitsschlüssel") — USB sticks built specifically for FIDO2/WebAuthn, the classic cross-platform/roaming authenticator.
- A smartphone linked via QR code, or a password manager acting as the authenticator.
Even where a service hasn't enabled passwordless login, you can often add a FIDO2 key as a second factor. Note c't's caveat: in that mode you're not passwordless — you still need your password plus the key, so it's 2FA, not a full passkey replacement.
Tip: Same physical key, two roles: a full passwordless passkey on supporting sites, or a strong phishing-resistant 2FA on sites that still want a password.