this post was submitted on 02 Jul 2024
39 points (97.6% liked)

Cybersecurity

5961 readers
213 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago
MODERATORS
 

Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

top 19 comments
sorted by: hot top controversial new old
[–] [email protected] 14 points 6 months ago (2 children)

Adversary in the middle? I guess man in the middle was misandrist? 😅

[–] Eezyville 5 points 6 months ago (1 children)
[–] [email protected] 1 points 6 months ago

It's very insulting to all the female hackers who have worked just as hard as their male peers to get good at fucking shit up

[–] [email protected] 4 points 6 months ago

This looks a bit different than a normal mitm so I assumed that warranted the new name

[–] [email protected] -4 points 6 months ago* (last edited 6 months ago) (2 children)

Wait, haven’t some sources been touting how ultra-secure and unbreakable passkeys are? And now we find that they’re susceptible to comparatively simple MITM attacks?

[–] [email protected] 18 points 6 months ago (2 children)

This is just someone siting in the middle and modifying a page not to show the passkey login option anymore and then stealing a password/session token.

As far as I can tell, this has almost nothing to do with passkeys specifically and would only apply in a situation where a website has a username and password fallback in case a passkey isn't created or isnt working.

[–] [email protected] 4 points 6 months ago (2 children)

I haven't started using passkeys yet because I haven't looked into them. Sell me on them?

[–] [email protected] 5 points 6 months ago* (last edited 6 months ago) (2 children)

I'm not an expert, so this is an oversimplification, but:

Passkeys are essentially like authenticating the same way you do via SSH, but with websites. The site will use a public key for your account. Your passkey holds the private key. That's it, as I understand it.

The advantages are that your accounts secured by passkeys will be inherently more difficult to crack than even the most complex, random passwords and it can't be phished (if you're using a physical passkey).

The disadvantage is that the standard is still being worked on, and bad actors (MS, Apple, Google, etc.) are eager and willing to sucker people in to using their vendor lock-in software implementations of them. If you want to avoid this, either use real, physical FIDO-capable hardware authentication keys, or use a FOSS password manager that is capable of emulating them.

[–] [email protected] 4 points 6 months ago

You also get additional protection because rather than each website holding onto a hashed (hopefully) copy of the user passwords that can be stolen in bulk, stealing the public keys for a passkey from a site wouldn't compromise the account. Someone would have to get access to your physical device or hack your password manager individually to get access to your passkey.

And and, the magic for most people is no more passwords and 2 factor stuff to deal with. The standard is still new, and in the cases where you want to use physical keys, its always best to keep 2 in case one gets smushed or goes through the washer. Some sites that have passkeys enabled only let you have 1 passkey. So in that case its kind of risky to make a passkey the only way to sign in.

[–] [email protected] 2 points 6 months ago (1 children)

Okay, so it's just like Yubikey-type stuff? I've thought about that before but it seems very risky - they recommend you get two and set both of them up so you have a backup, but that would require all websites to support that, right?

I'm down for using BitWarden, though, if I can substitute it for physical keys.

[–] [email protected] 3 points 6 months ago

Okay, so it's just like Yubikey-type stuff? I've thought about that before but it seems very risky - they recommend you get two and set both of them up so you have a backup, but that would require all websites to support that, right?

Pretty much. I suppose that's a very real disadvantage to using physical passkeys. If you lose it, unless you have multiple passkeys configured, or have access to an account recovery method, you lose that account.

But, like you mentioned, using Bitwarden would sidestep that issue, and they do support passkey emulation.

[–] [email protected] -2 points 6 months ago (1 children)

I haven’t either because I don’t see the advantage. Cases like this show that there may not be any.

[–] [email protected] 6 points 6 months ago (1 children)

Cases like this only prove that a better lock doesn't improve security when the old lock still lets you in.

The takeaway here isn't "passkeys are bad", it's "keeping less secure methods of authentication as a fallback is bad"

It's like saying all 2FA is bad because SMS 2FA is dogshit.

[–] [email protected] 2 points 6 months ago

This is the real takeaway, if you have a forgot password button that bypasses everything then none of it is anything more than a login accelerator.

[–] [email protected] -3 points 6 months ago (2 children)

If The Next Big Thing can be sidelined by simply blocking its login option, that’s a problem. Not only is it not secure, it’s not even reliably usable.

[–] [email protected] 7 points 6 months ago* (last edited 6 months ago)

This isn't inherent to passkeys or the standard that they use. This has to do with the configuration of the service being attacked and the fact that once you've achieved MiTM, the sky is the limit for what you can do.

Passkeys use the same underlying protocol as hardware authentication keys (FIDO, not the YubiKey auth protocol) and should be roughly as secure and vulnerable as that type of MFA method.

[–] [email protected] 2 points 6 months ago (1 children)

This is more like triple bolting the door but leaving a window open. There's nothing inherently wrong with the door, its still secure but you can bypass the secure option with a less secure method.

[–] [email protected] 2 points 6 months ago

Arguably, it’s more like someone is able to hide the door altogether and force you to climb through the less-well-secured window. The fact that they can hide the door at all makes its locks meaningless.

I get that this is an inherent problem of security mechanisms in general and not of passkeys in particular. But it still reduces passkeys to just fancy passwords. They’re obviously not any more reliable in practice.

[–] [email protected] 12 points 6 months ago

Passkeys are so secure that it's easier just to hack the page and not offer them as a login option, but that's your takeaway and you got multiple upvotes? God help us.