Comment on Google will now make passkeys the default for personal accounts
a_fancy_kiwi@lemmy.world 8 months agoNot necessarily. I can’t imagine they’d want you to login to your iCloud or Google account on a public computer. It will probably work how Microsoft “Authenticator” works or how when you try logging in to iCloud or your Google account when you have 2FA turned on:
- Type in your username and click submit on the library computer
- The service on the computer tells you to look at your phone
- In the background, the service sent an encrypted challenge to your iCloud account
- All your devices receives a notification asking if that’s you trying to login
- You pull out your phone, click yes
- In the background, your phone decrypts the challenge and sends it back to the server
- The server verifies its you who is trying to login and logs you in on the library computer
No sharing of keys necessary
Nolegjoe@lemmy.world 8 months ago
If that’s the case, then a bad actor could spam someone’s phone with notifications. All they’d need is a username.
Or, like my mum, you don’t read what the notification says and just hit ‘OK’. Now you’ve let someone into your account without realising
a_fancy_kiwi@lemmy.world 8 months ago
Shit. Good point. According to this blog at 1Password, Bluetooth can be used to have one device verify another for a service. So I guess if the public device has Bluetooth, it’s possible 🤷♂️
Natanael@slrpnk.net 8 months ago
There’s more ways such as scanning a Qr code to establish a connection from the app to the computer, or by presenting a number on one device which must be entered on the other