Comment on Google will now make passkeys the default for personal accounts
V0lD@lemmy.world 1 year agoBut it becomes much easier if you want to compromise a specific target individual
Comment on Google will now make passkeys the default for personal accounts
V0lD@lemmy.world 1 year agoBut it becomes much easier if you want to compromise a specific target individual
alvvayson@lemmy.world 1 year ago
No, not really.
Even if you want to target a specific user, it doesn’t become necessarily easier.
Unless you happen to target an individual that combines good password OpSec with shitty phone OpSec.
But I would expect those to be a minority.
V0lD@lemmy.world 1 year ago
Hi, yes, I am that minority
I have a 37 character password with both cases, numbers and special characters to login to my pw vault using long random strings
My phone has a swipe pattern lock since that is the safest lock option it allows in the first place. I wish I could lock it better, but the only other options available to me are a 4 character pin, and fingerprints/facial scan. I hope the problems with those are obvious
Couple that with the fact that I have a daily predictable commute in public transit where I have a habit to put my phone next to me during breakfast and you have a recipe for disaster.
greybeard@lemmy.one 1 year ago
Finger prints on Android stop working after 24 hours, a reboot, and some other cercumstances. I feel pretty OK using fingerprint to unlock my phone, because in about 99% of cases I might be compelled to unlock my phone, I will either be able to restart it first, or that 24 hour timer will have expired.
V0lD@lemmy.world 1 year ago
I may be misunderstanding you, but how does that stop an attacker?
Getting a copy of someone’s fingerprint can be done without their knowledge since it is the easiest biometric to accidentally leave behind. Having to restart my phone doesn’t suddenly change my fingerprints.
Or, do you have to actually re-register your prints on a daily basis via a different form of authentication? That’d seem inconvenient and like it would just move the problem around
alvvayson@lemmy.world 1 year ago
You can still use a 37 character password to protect your passkeys in your pw vault, so it’s not like anyone is forcing you to change.
It’s still a single factor though. The number of times I have had to lecture IT admins that their 64 character passwords was compromised by a keylogger and that they need to move towards MFA is too damn high.
As for your phone, if that’s sufficient for you, go for it.
There are better phones out there.
hedgehog@ttrpg.network 1 year ago
Even FIDO2 MFA doesn’t protect you from attacks that involve malware running on your machine. If there was a keylogger on their machine then that machine is likely compromised in other ways, and any credentials entered or stored on it should be considered compromised and should be reset.
V0lD@lemmy.world 1 year ago
I have MFA in addition to that pw, yes
That’s news to me. Which other mobile authentication is there besides pin, pattern, facial and fingerprint?