WingNews logo WingNews
top | item 37833427

(no title)

JaneLovesDotNet | 2 years ago

Correct me if I'm wrong but isn't it fair to say that passkeys secured on your phone are more secure than 1FA (password) but less secure than "traditional" 2FA?

   Passkey 2FA: unlock your phone and the passkey on your phone can log you in.

   Traditional 2FA: remember a password AND unlock your phone (where your TOTP is stored) and you can login
If I were to rate all 3 methods on a scale of 1 to 10, for convenience and security, I'd say:

     Method       Convenience   Security       

  Password only:      4/10        2/10

  Passkey 2FA:        9/10        8/10

  Traditional 2FA:    6/10        9/10
Fair?

discuss

order

forward1|2 years ago

Passwordless authentication > hardware-backed MFA > TOTP/HOTP MFA > SMS MFA > no MFA

The reason being is the secret used to authenticate you is non-portable (since it's based on asymmetric crypto, it doesn't need to be shared). On the other hand, portable credentials, like TOTP/HOTP code AND passwords are responsible for almost all compromise today.

Bearer token based authentication will always be inferior to FIDO/U2F - it's not even the same ballgame.

px43|2 years ago

No, if you break into a site using passkeys, it gives you literally zero information that can be used to authenticate as any of the users. Think about the prevalence of data breaches in the past decade, and the sharp rise in the effectiveness of password stuffing, and think about why this change might be a good idea.

Also even with traditional 2FA, TOTP can be phished. See https://github.com/kgretzky/evilginx2

WebAuthn almost entirely eliminates phishing risk (at least with respect to credential harvesting), and Passkeys are a really nice, clean UX for using WebAuthn.

the_snooze|2 years ago

>No, if you break into a site using passkeys, it gives you literally zero information that can be used to authenticate as any of the users. Think about the prevalence of data breaches in the past decade, and the sharp rise in the effectiveness of password stuffing, and think about why this change might be a good idea.

An implication of that is passkeys let you use the same authenticators across multiple services safely. Instead of keeping track of unique passwords across all those services (or worse, reusing passwords), you can just have a passkey-registered phone and one or two Yubikeys for backups/convenience. You'd be a very hard target for account compromise. That setup is highly phishing-resistant and immune to credential-stuffing, without the cognitive load of passwords.

orev|2 years ago

Nobody should be using a remembered password anymore. Most people are likely using the phone for both the password and the MFA code.

doublerabbit|2 years ago

> Nobody should be using a remembered password anymore.

Nobody is a strong number, why?

I don't want to use biometrics for logging in to my SSH terminal. I dislike having to use my phone for authentication methods.

I go many places without my phone. Even tempted to gon on holiday without it. Maybe I'm just one of the few who actually enjoys turning it off when coding, developing or whatever.

JaneLovesDotNet|2 years ago

Right, in which case passkeys would be equally secure. But if you DO memorize the password (for example for your most sensitive account), then it feels like traditional 2FA is more secure.

That being said passkeys win if you also take convenience into account. I've updated my original comment with convenience scores to reflect that.