Passkey Redaction Attacks Subvert GitHub, Microsoft Authentication (www.darkreading.com)

submitted 1 week ago by BrikoX to c/[email protected]

19 comments fedilink hide all child comments

Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

you are viewing a single comment's thread
view the rest of the comments

[-] [email protected] 18 points 1 week ago

This is just someone siting in the middle and modifying a page not to show the passkey login option anymore and then stealing a password/session token.

As far as I can tell, this has almost nothing to do with passkeys specifically and would only apply in a situation where a website has a username and password fallback in case a passkey isn't created or isnt working.

[-] [email protected] 4 points 1 week ago

I haven't started using passkeys yet because I haven't looked into them. Sell me on them?

[-] [email protected] 5 points 1 week ago* (last edited 1 week ago)

I'm not an expert, so this is an oversimplification, but:

Passkeys are essentially like authenticating the same way you do via SSH, but with websites. The site will use a public key for your account. Your passkey holds the private key. That's it, as I understand it.

The advantages are that your accounts secured by passkeys will be inherently more difficult to crack than even the most complex, random passwords and it can't be phished (if you're using a physical passkey).

The disadvantage is that the standard is still being worked on, and bad actors (MS, Apple, Google, etc.) are eager and willing to sucker people in to using their vendor lock-in software implementations of them. If you want to avoid this, either use real, physical FIDO-capable hardware authentication keys, or use a FOSS password manager that is capable of emulating them.

[-] [email protected] 2 points 1 week ago

Okay, so it's just like Yubikey-type stuff? I've thought about that before but it seems very risky - they recommend you get two and set both of them up so you have a backup, but that would require all websites to support that, right?

I'm down for using BitWarden, though, if I can substitute it for physical keys.

[-] [email protected] 3 points 1 week ago

Okay, so it's just like Yubikey-type stuff? I've thought about that before but it seems very risky - they recommend you get two and set both of them up so you have a backup, but that would require all websites to support that, right?

Pretty much. I suppose that's a very real disadvantage to using physical passkeys. If you lose it, unless you have multiple passkeys configured, or have access to an account recovery method, you lose that account.

But, like you mentioned, using Bitwarden would sidestep that issue, and they do support passkey emulation.

load more comments (1 replies)

load more comments (4 replies)

load more comments (8 replies)

this post was submitted on 02 Jul 2024

38 points (97.5% liked)

Cybersecurity

5025 readers

148 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago

MODERATORS

[email protected]