Sharing a blog I wrote giving a crude demo for how to bootstrap a passkey only login flow for a web app. Hoping it gives you all inspiration to push towards passkeys and OIDC because everyone still screws up MFA when applied at large enough scales.<p>In one step, Passkeys provide multiple forms of authentication including:<p>* FIDO2 based credential
* Origin verification of the requesting web app by the Platform Authenticator (this part makes them phish resistant)
* user password, because you had to unlock the platform authenticator in the first place
* device authentication, because the passkeys are stored within device bound platform authenticators<p>Don't let your lazy compliance people tell you passkeys aren't MFA.