this post was submitted on 02 Jul 2024
38 points (97.5% liked)
Cybersecurity
5476 readers
55 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Wait, haven’t some sources been touting how ultra-secure and unbreakable passkeys are? And now we find that they’re susceptible to comparatively simple MITM attacks?
This is just someone siting in the middle and modifying a page not to show the passkey login option anymore and then stealing a password/session token.
As far as I can tell, this has almost nothing to do with passkeys specifically and would only apply in a situation where a website has a username and password fallback in case a passkey isn't created or isnt working.
If The Next Big Thing can be sidelined by simply blocking its login option, that’s a problem. Not only is it not secure, it’s not even reliably usable.
This isn't inherent to passkeys or the standard that they use. This has to do with the configuration of the service being attacked and the fact that once you've achieved MiTM, the sky is the limit for what you can do.
Passkeys use the same underlying protocol as hardware authentication keys (FIDO, not the YubiKey auth protocol) and should be roughly as secure and vulnerable as that type of MFA method.