As someone who happily uses Yubikeys, I really don't want to use a Passkey. I want to still use a username/password and the Yubikey. Not just username and Yubikey.
Google tries to force use of passkey now that if you enroll a Yubikey it will now be a Passkey, instead of a second factor. With no option to disable it. I have to run the Yubikey Manager tool and then disable "FIDO2", so that I can force it only be used as a 2nd factor.
You can open your Firefox about:config and set security.webauthn.ctap2 to false.
This will cause a fallback to FIDO/U2F where possible and your browser will appear to not support FIDO2. I've observed this with the default Keycloak flow for Security Tokens. May be a bug, too...
I don't know if this works with Google but if you try it, let me know :)
This needs no restart of Firefox, so you can use it to quickly disable it instead of fully disabling it on your Hardwaretoken.
Because of the whole "multi-factor" thing, and not making account recovery impossible?
Passkeys are always going to be less secure than username + password + Webauthn, why would you intentionally make your account less secure and give yourself a massive failure mode in the process?
Password and other factors are not going anywhere. You can set password, TOTP, email, phone and passkey at the same time. And use passkey because it's convenient. But use other combination of factors, if you need to access website without passkey. At least if website owner allows it. But I think that most websites will allow it.
Account recovery is a separate issue. There's nothing about a pass key that makes account recovery any harder or easier than if someone loses their MFA TOTP device or forgets their password.
You can (and are generally required to unless you purposefully use a "non-compliant" implementation that ignores it) set a PIN on your passkey.
> Passkeys are always going to be less secure than username + password + Webauthn
It's less secure in the same way that a door is less secure if you put a single strip of duct tape across that same door. Technically yes, but not in any meaningful sense.
If you use Google Workspace you can set 2FA directly from the admin console, so you don't need to disable FIDO2 on the key. Does not help with gmail, though.
Not in my experience. In the Admin console I said do not use Passkey and it still created it as a Passkey :( This was about a month ago, so maybe they fixed it. Turning off FIDO2 made things work.
If you add a FIDO2 key as a security key in the admin console, it will show as a "passkey" in Google account settings, but it will actually be a non-resident key used only for 2FA and won't be able to be used for anything more than that.
Keys that do not support resident keys (or when you turn FIDO2 off) show differently in Google account settings which makes it all very confusing. The UX is inexcusable, really.
As a side note, turning on Advanced Protection also turns off passkeys.
Google tries to force use of passkey now that if you enroll a Yubikey it will now be a Passkey, instead of a second factor. With no option to disable it. I have to run the Yubikey Manager tool and then disable "FIDO2", so that I can force it only be used as a 2nd factor.