undefined | Better HN

0 pointsPassageNick3y ago0 comments

Passwordless is MFA -- something you are and something you have.

I'm not a yubikey expert, but I don't believe that losing your Yubikey will open up your company to a breach.

For a typical passwordless solution, losing your phone isn't a risk, given that no one can reproduce your face or thumbprint.

0 comments

_8j503y ago

Your face and thumbprint can easily be reproduced. There is even a guy that took a photo of a politicians' finger from a mile away and used that to forge their fingerprint. Even without going technical your dopplegangers can bypass face auth lol. You can guess spray pins and push notification codes. The one thing you can count on is someone will find a way around any good passwordless solution. For example, there is a "rdp in browser" phishing where a browser in the attackers vm does the actual auth but the user thinks it is in their browser so most passwordless methods are defeated by cookie theft like that.

PassageNickOP3y ago

If you can take a photograph of someone's fingerprint and reproduce it, how, exactly, does one use that?

PassageNickOP3y ago

....and can you explain the cookie theft thing a bit more?

j / k navigate · click thread line to collapse

0 comments

_8j503y ago

PassageNickOP3y ago

If you can take a photograph of someone's fingerprint and reproduce it, how, exactly, does one use that?

PassageNickOP3y ago

....and can you explain the cookie theft thing a bit more?

j / k navigate · click thread line to collapse