Apparently, following a recent serious data breach[0], HealthEquity is moving forward with an authentication change to deprecate username/password entirely in favor of Passkeys (webauthn resident key implementation).
This struck me as a bit of "news" given the security posture being taken here. I haven't seen any other institution force adoption of Passkeys as the primary authentication mechanism to access their services; I've mostly seen 2FA/MFA implementations with Passkeys as an optional/additional authentication mechanism. Like many folks here[1], I've been hesitant to fully adopt passkeys as a primary authentication mechanism until the credential exchange specification[2] (which allows users to export/import keys from one credential storage platform to another) is finalized and better supported across the different credential stores.
From this page:
Can I opt out of using a passkey?
No. Once passkey login is rolled out to your account, you’ll need to use it to access your benefits—either through the mobile app or on the web. Traditional login options won’t be available.
This struck me as a bit of "news" given the security posture being taken here. I haven't seen any other institution force adoption of Passkeys as the primary authentication mechanism to access their services; I've mostly seen 2FA/MFA implementations with Passkeys as an optional/additional authentication mechanism. Like many folks here[1], I've been hesitant to fully adopt passkeys as a primary authentication mechanism until the credential exchange specification[2] (which allows users to export/import keys from one credential storage platform to another) is finalized and better supported across the different credential stores.
From this page:
[0] https://www.healthequity.com/breach[1] https://news.ycombinator.com/item?id=42548719
[2] https://fidoalliance.org/specifications-credential-exchange-...