Comment on Passkeys Explained: The End of Passwords
Zak@piefed.world 2 days agoIf they can break intercept my password despite TLS, they can probably also steal my session. I'll grant that's marginally less bad since the attacker would have to do their evil immediately if I log out when finished.
I'm going to disagree that passkeys really have multifactor authentication built in. The passkey is a single factor. If it is compromised (an attacker steals the private key), that's all the attacker needs unless the service involved requires another factor like TOTP. The fact that it's usually harder to steal the private key than a password doesn't make it MFA.
I recognize the theoretical advantages, but my one attempt to use it (here, with Piefed) didn't go so well, so I'm not eager to jump in with both feet.
lmmarsano@lemmynsfw.com 1 day ago
Security is all about layers & reducing risk/surface area of attack. Anyhow, that’s not necessarily true: it could leak due to flaw or defect that doesn’t affect the session token. By getting your secret, they can leak it. Leaking a secret they don’t have, however, is impossible.
Then you’re disagreeing with standards & definitions. Passkeys are encrypted in an authenticator that needs a biometric or secret (ie, something you are or know) to unlock the key (something you have).
While it’s fine to share, “I tried something once, it sucked” is not a great argument to draw a generalization that technology sucks or isn’t better than your limited impression. Maybe piefed sucks: if piefed implemented password authentication wrong, would you blame password authentication?