this post was submitted on 02 Jul 2024
39 points (97.6% liked)

Cybersecurity

5722 readers
127 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago
MODERATORS
 

Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

you are viewing a single comment's thread
view the rest of the comments
[–] xyguy@startrek.website 4 points 4 months ago

You also get additional protection because rather than each website holding onto a hashed (hopefully) copy of the user passwords that can be stolen in bulk, stealing the public keys for a passkey from a site wouldn't compromise the account. Someone would have to get access to your physical device or hack your password manager individually to get access to your passkey.

And and, the magic for most people is no more passwords and 2 factor stuff to deal with. The standard is still new, and in the cases where you want to use physical keys, its always best to keep 2 in case one gets smushed or goes through the washer. Some sites that have passkeys enabled only let you have 1 passkey. So in that case its kind of risky to make a passkey the only way to sign in.