#phishingresistant β Public Fediverse posts
Live and recent posts from across the Fediverse tagged #phishingresistant, aggregated by home.social.
-
@rmondello : what makes passkeys strong:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
The rest is marketing (including the -hyped- asymmetric cryptography).
The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.
The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.
[1] https://seclists.org/fulldisclosure/2024/Feb/15
#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports
-
@rmondello : what makes passkeys strong:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
The rest is marketing (including the -hyped- asymmetric cryptography).
The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.
The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.
[1] https://seclists.org/fulldisclosure/2024/Feb/15
#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports
-
@rmondello : what makes passkeys strong:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
The rest is marketing (including the -hyped- asymmetric cryptography).
The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.
The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.
[1] https://seclists.org/fulldisclosure/2024/Feb/15
#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports
-
@rmondello : what makes passkeys strong:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
The rest is marketing (including the -hyped- asymmetric cryptography).
The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.
The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.
[1] https://seclists.org/fulldisclosure/2024/Feb/15
#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports
-
PASSKEYS, HOE DAN EN WAAROM?
Zojuist heb ik geprobeerd om in https://security.nl/posting/929755 uit te leggen hoe passkeys werken, en wat de voor/nadelen zijn.
Boosten van deze toot wordt gewaardeerd!
#Passkeys #WebAuthn #FIDO2 #Yubikey #Phishing #PhishingResistant #PhishingResistance #InfoSec
-
πππ π ππππππ πππππππ ππ π πππ ππππππππ-πππππππππ ππ π
Phishing is a very popular technique of attackers. They trick the user into entering their credentials on some fraudulent site pretending to be a corporate login page, for example to log into Microsoft Entra ID. The user enters their login credentials there and sends them to the attacker.
πΊ Watch my YouTube video where I show the difference between MFA and phishing-resistant MFA π π
https://youtu.be/NGx6tRKtEFI#cswrld #video #mfa #phishing #authentication #phishingresistant #entraid