When you do passwordless, does it counts as AAL2?

Yes, when you complete a second factor (

totp

,

lookup_secrets

,

webauthn

) that counts as AAL2

AAL2 just means two factors, but it does not require any of them to be a password

@User got it. So from my understanding

webauthn

can work as

passwordless

and as

second factor

can it do both? One user has password, webauthn. Another user has webauthn and totp

I mean, passwordless just means no password, and second factor means that there is a second factor I don't really see a dependency between the two terms?

@User https://www.ory.sh/docs/kratos/guides/two-factor-authentication-2fa-mfa#authenticator-assurance-level-aal Here aal2 explained as first (password or oidc) plus second (webauthn).

Ory's WebAuthN implementation can be used for both multi-factor authentication and passwordless authentication. You need to configure whether WebAuthn is used for passwordless, or for multi-factor authentication.

This implies that webauthn can only be either as "first" or as "second", but not was both. My question was can user decide how to use themselves, and looks like the answer is no.

webauthn usually proves possession of a physical thing, which is one factor it wouldn't make much sense to use it twice, same as you don't have two passwords anywhere

Got it, thanks!