top | item 42518323

(no title)

Problem is that passkeys aren't resilient enough to loss of the authenticator device, which means a fallback flow is always made available, that is vulnerable to phishing/MITM/social engineering.

This is even more pronounced thanks to the efforts to roll out passkeys to the masses. Most of them don't understand what they're getting into and are most likely gonna get themselves locked out quite quickly, which may mean recovery flows need to actually become more relaxed than they currently are.

discuss

tptacek|1 year ago

I'm not interested in litigating the broader question of Passkey-only login setups, only in spelling out why the field cares so much about phishing-resistant authenticators, which password managers and random passwords do not provide.