Why are passkeys described as having a built-in second factor, even though you only do one quick action to log in?
Logging in needs two things at once: possession of the device that holds the private key (factor 1) plus a local PIN or biometric to unlock it (factor 2) — so a single tap already combines "something you have" and "something you are/know."
A passkey login feels like one step, but two independent factors are involved:
- Possession — the private key lives only on your device (phone, laptop, or a FIDO2 security key). Without that device there is nothing to sign with.
- Unlock — a PIN, fingerprint, or face scan releases the key locally. As in the TPM flow, this unlock stays on the device and is never transmitted.
Because both are required and the unlock secret never leaves the device, you get effective multi-factor strength without the friction of a separate one-time-code app. Per c't (2023), this is why passkeys are pitched as replacing both the password and the clumsy second-factor step.
Tip: Contrast with a password + SMS code: there both factors travel over the network and can be phished or intercepted. A passkey's "factors" are local and a phisher can capture neither.