this post was submitted on 02 Jul 2024
39 points (97.6% liked)
Cybersecurity
5764 readers
69 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This is just someone siting in the middle and modifying a page not to show the passkey login option anymore and then stealing a password/session token.
As far as I can tell, this has almost nothing to do with passkeys specifically and would only apply in a situation where a website has a username and password fallback in case a passkey isn't created or isnt working.
I haven't started using passkeys yet because I haven't looked into them. Sell me on them?
I'm not an expert, so this is an oversimplification, but:
Passkeys are essentially like authenticating the same way you do via SSH, but with websites. The site will use a public key for your account. Your passkey holds the private key. That's it, as I understand it.
The advantages are that your accounts secured by passkeys will be inherently more difficult to crack than even the most complex, random passwords and it can't be phished (if you're using a physical passkey).
The disadvantage is that the standard is still being worked on, and bad actors (MS, Apple, Google, etc.) are eager and willing to sucker people in to using their vendor lock-in software implementations of them. If you want to avoid this, either use real, physical FIDO-capable hardware authentication keys, or use a FOSS password manager that is capable of emulating them.
You also get additional protection because rather than each website holding onto a hashed (hopefully) copy of the user passwords that can be stolen in bulk, stealing the public keys for a passkey from a site wouldn't compromise the account. Someone would have to get access to your physical device or hack your password manager individually to get access to your passkey.
And and, the magic for most people is no more passwords and 2 factor stuff to deal with. The standard is still new, and in the cases where you want to use physical keys, its always best to keep 2 in case one gets smushed or goes through the washer. Some sites that have passkeys enabled only let you have 1 passkey. So in that case its kind of risky to make a passkey the only way to sign in.