Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

  • CaptObvious@literature.cafe
    link
    fedilink
    English
    arrow-up
    1
    ·
    5 months ago

    If The Next Big Thing can be sidelined by simply blocking its login option, that’s a problem. Not only is it not secure, it’s not even reliably usable.

    • trevor
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      5 months ago

      This isn’t inherent to passkeys or the standard that they use. This has to do with the configuration of the service being attacked and the fact that once you’ve achieved MiTM, the sky is the limit for what you can do.

      Passkeys use the same underlying protocol as hardware authentication keys (FIDO, not the YubiKey auth protocol) and should be roughly as secure and vulnerable as that type of MFA method.

    • xyguy@startrek.website
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      This is more like triple bolting the door but leaving a window open. There’s nothing inherently wrong with the door, its still secure but you can bypass the secure option with a less secure method.

      • CaptObvious@literature.cafe
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        Arguably, it’s more like someone is able to hide the door altogether and force you to climb through the less-well-secured window. The fact that they can hide the door at all makes its locks meaningless.

        I get that this is an inherent problem of security mechanisms in general and not of passkeys in particular. But it still reduces passkeys to just fancy passwords. They’re obviously not any more reliable in practice.