• Greensauce@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I’m stealing this from another comment:

    The main advantage comes with phishing resistance. Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token. Other MFA types, such as pop up notifications, are susceptible to MFA fatigue. Similar to YubiKeys, Passkeys implement a phishing resistant MFA by storing an encryption key, along with requiring a biometric. The benefit here is that these are far easier for the average user, and the user does not need to carry a physical device. Sure, fingerprints could possibly be grabbed with physical presence, but there is far less risk that a users fingerprint is stolen, than a user being social engineered over the phone into giving creds. For most organizations and users, this is far more secure.

    • atheken@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 year ago

      And, they are actually more convenient because then entire login process is one step with minimal keyboard input, rather than two.

        • atheken@programming.dev
          link
          fedilink
          arrow-up
          0
          ·
          1 year ago

          You can still keep password + 2FA on GitHub and Google Suite (probably anything else that’s currently implementing them), it’s just a convenience/anti-phishing feature right now.

          The passkey is synced between devices if it’s kept in a password manager, I haven’t looked at the mechanism that Apple uses to sync it/use it if you store it in the system keychain. I guess you could also have multiple passkeys configured for a few devices.

          • valpackett@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            IIUC Apple syncs them using the most secure way they can, i.e. when you enroll a new device to your account the existing device, the existing device’s HSM encrypts keys using the pubkey of the new one’s HSM; and for recovery from being left with 0 Apple devices there might be (?) an escrow option that’s optional (?)

            • atheken@programming.dev
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Cool. I should check it out. I tend to assume that when Apple (or Google) rolled this out that it’s not broken in any obvious way that I would recognize right away.

              But like contactless payments, which I’ve advocated my friends and family switch to, I should read up on why it’s more secure.

    • SorteKanin@feddit.dk
      link
      fedilink
      arrow-up
      0
      arrow-down
      1
      ·
      1 year ago

      Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token.

      So basically this is just idiot-proofing the system. If you aren’t the type of person to give your password or MFA token to another person, then passkeys don’t really make better security.

      • 0xc0ba17@sh.itjust.works
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        idiot-proofing

        Don’t chalk it up to idiots. The quote mentions “MFA fatigue”, which is something that definitely happens.

        If you’re a Windows user (and moreso if you play games on your computer), you certainly regularly have admin prompts. I’m pretty sure that, like everyone else, you just click OK without a second thought. That’s fatigue. Those prompts exist for a security reason, yet there are so many of them that they don’t register anymore and have lost all their meaning.

        For my job, I often have to login into MS Azure, and there are days where I have to enter my MFA 3 or 4 times in a row. I expect it, so I don’t really look at the prompt anymore. I just enter the token to be done with it asap; that’s a security risk