Feature request: introduce an active component #1076
Description
All physical (something you are) passkeys are inherently susceptible to an attack by a party having control both of the user and the device, and face recognition in particular can be trivially exploited by bringing the device before the user. Introducing a required active component, such as a spoken password registered by a microphone, or a pattern of facial expressions (as simple as a series of blinks or eye movements) would introduce minimal additional inconvenience to a user while preventing those trivial attacks and providing plausible deniability.
Implementation of the spoken component in particular doesn't pose a particular challenge and would bring Howdy somewhat closer to 2FA. Eye tracking could provide a level of privacy comparable to typing in a password.