WingNews logo WingNews
top | item 45737219

(no title)

etskinner | 4 months ago

Let's assume your vault/login has these properties:

- You have a strong unlock password that you don't use anywhere else

- You have a second factor set up for unlocking the vault (TPM in the device you're using, Yubikey, TOTP, etc.)

- The service you're logging into has good account recovery hygeine

The benefit, assuming those things, is that the passkey is phishing-resistant and social-engineering-resistant. If a user gets an email saying "omg, someone tried to transfer your paypal, click this link to log in", then when they try to log in with the passkey, the site the attacker is using won't be able to use the passkey (because the passkey is associated with a particular domain). Even if the user wanted to bypass this, there's specifically no way for them to extract the contents of the passkey.

That is very different from a user having their password stored in their vault. They could easily forget to check the domain, or get tricked by a very similar looking one, and copy/paste their password into the attacker's form.

discuss

order

abdullahkhalids|4 months ago

My password manager (keepassxc) has a browser extension that only lets you autocomplete the password on a page if the url matches the one stored in the database.

Sure I could manually copy the password from the database, but in practice, this is fairly good security. It also doesn't treat the user as an always-idiot, which is a good thing in my book.

ewoodrich|4 months ago

I'm struggling to think of a reason why being "treated as an always-idiot" is an actual negative in this specific example.

I use Bitwarden and when the password autofill doesn't work as expected my first assumption from many previous experiences is that it's because a website changed something slightly in their auth flow or a particular page has a weird redirect/embedded login scheme different than the primary login, or similar "modern" web weirdness.

So if I get phished and let my guard down just that one time due to panic, sleep deprivation, or whatever else I'm glad that it gives me a second layer of defense against me reflexively clicking a couple times to copy/paste the password manually. A passkey dropdown with "No passkeys saved for this site" would be a massive red flag and stop me in my tracks before trying to do something else stupid.

skybrian|4 months ago

That works for you, but the website doesn't know you use a password manager, so they'll often want you to use SMS as a second factor.

Passkeys require some kind of password manager. That's the main benefit. The adoption problems are because a lot of users don't really understand password managers.