• Bitrot@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    The second factor doesn’t necessarily exist, since you’ve moved all of that to the client side now. It entirely depends on implementation and that the implementation is done correctly and is honest. The server only knows that you have the key, it’s single factor authentication.

    In the past, it verifies that I know the password and that I have a key on the server side through separate challenges.

    It’s still way better than username / password, it just has new (more difficult) vulnerabilities.