Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

  • CaptObvious@literature.cafe
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    6 months ago

    I haven’t either because I don’t see the advantage. Cases like this show that there may not be any.

    • Kushan@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      6 months ago

      Cases like this only prove that a better lock doesn’t improve security when the old lock still lets you in.

      The takeaway here isn’t “passkeys are bad”, it’s “keeping less secure methods of authentication as a fallback is bad”

      It’s like saying all 2FA is bad because SMS 2FA is dogshit.

      • xyguy@startrek.website
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        This is the real takeaway, if you have a forgot password button that bypasses everything then none of it is anything more than a login accelerator.