• Greensauce@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I’m stealing this from another comment:

      The main advantage comes with phishing resistance. Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token. Other MFA types, such as pop up notifications, are susceptible to MFA fatigue. Similar to YubiKeys, Passkeys implement a phishing resistant MFA by storing an encryption key, along with requiring a biometric. The benefit here is that these are far easier for the average user, and the user does not need to carry a physical device. Sure, fingerprints could possibly be grabbed with physical presence, but there is far less risk that a users fingerprint is stolen, than a user being social engineered over the phone into giving creds. For most organizations and users, this is far more secure.

      • atheken@programming.dev
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        1 year ago

        And, they are actually more convenient because then entire login process is one step with minimal keyboard input, rather than two.

          • atheken@programming.dev
            link
            fedilink
            arrow-up
            0
            ·
            1 year ago

            You can still keep password + 2FA on GitHub and Google Suite (probably anything else that’s currently implementing them), it’s just a convenience/anti-phishing feature right now.

            The passkey is synced between devices if it’s kept in a password manager, I haven’t looked at the mechanism that Apple uses to sync it/use it if you store it in the system keychain. I guess you could also have multiple passkeys configured for a few devices.

            • valpackett@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              IIUC Apple syncs them using the most secure way they can, i.e. when you enroll a new device to your account the existing device, the existing device’s HSM encrypts keys using the pubkey of the new one’s HSM; and for recovery from being left with 0 Apple devices there might be (?) an escrow option that’s optional (?)

              • atheken@programming.dev
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Cool. I should check it out. I tend to assume that when Apple (or Google) rolled this out that it’s not broken in any obvious way that I would recognize right away.

                But like contactless payments, which I’ve advocated my friends and family switch to, I should read up on why it’s more secure.

      • SorteKanin@feddit.dk
        link
        fedilink
        arrow-up
        0
        arrow-down
        1
        ·
        1 year ago

        Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token.

        So basically this is just idiot-proofing the system. If you aren’t the type of person to give your password or MFA token to another person, then passkeys don’t really make better security.

        • 0xc0ba17@sh.itjust.works
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          idiot-proofing

          Don’t chalk it up to idiots. The quote mentions “MFA fatigue”, which is something that definitely happens.

          If you’re a Windows user (and moreso if you play games on your computer), you certainly regularly have admin prompts. I’m pretty sure that, like everyone else, you just click OK without a second thought. That’s fatigue. Those prompts exist for a security reason, yet there are so many of them that they don’t register anymore and have lost all their meaning.

          For my job, I often have to login into MS Azure, and there are days where I have to enter my MFA 3 or 4 times in a row. I expect it, so I don’t really look at the prompt anymore. I just enter the token to be done with it asap; that’s a security risk

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      At this point, you probably shouldn’t.

      At some point, passkeys will be ubiquitous enough they’ll be like low friction SSH keys for web authentication (i.e. there will be no shared secrets in the login process).