undefined | Better HN

0 pointslxgr2y ago0 comments

> Why can't passkeys just be strings that I can extract via biometric authentication?

As much as that lock-in annoys me personally – I could absolutely see this become a tech support scam attack vector. "Please share your passkey with us for authentication by going to your device's settings and selecting the 'export passkey' option"...

> you can always just add a new device via other established factors (email/SMS)

That gives the relying party some agency about requiring additional authentication to add devices though, of treating devices added under dubious circumstances as less trusted, or simply of sending a security notification to the customer.

Exporting a passkey leaves no relying-party-side traces.

0 comments

SheinhardtWigCo2y ago

> "Please share your passkey with us for authentication by going to your device's settings and selecting the 'export passkey' option"

This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

> Exporting a passkey leaves no relying-party-side traces.

Not if it's only useful for getting a device-bound session token. Everything you listed is already commonplace.

jesseendahl2y ago

>This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

Exactly, that's the problem lxgr is pointing out. Those six-digit codes can (and often are) phished by e.g. tech support scam attackers. lxgr is pointing out the same exact attack could be done against an exported passkey.

hedora2y ago

So you’re saying this phishing attack:

We have to rename and re-enroll your device token so your laptop can still log in.

Click “I registered this credential” when you get the alert about it so your old credential that you added before will still work.

Is harder to pull off than:

Go to your password manager and export the entire database locally stored passwords. Now, print it out and read this 200 character string to me over the phone, or just email the file to me.

veeti2y ago

Can't we just put a 100px blinking red text that says "Do not share this with anyone or it's your own fault" and be done with it?

lxgrOP2y ago

It would be great if that were actually 100% effective, but unfortunately phishing still happens despite such warnings.

In a situation where a message on a screen tells a person to do x, and a person on the phone tells them to disregard it because it’s a computer error or whatever and do y, some percentage of people will do y.

The only way to prevent that is for there to be only one option – the safe one. Sometimes that has unacceptable other implications of course; this might well be such a case.

magicalhippo2y ago

> In a situation where a message on a screen tells a person to do x, and a person on the phone tells them to disregard it because it’s a computer error or whatever and do y, some percentage of people will do y.

It's the human version of prompt injection attack.

GoblinSlayer2y ago

Rename "export passkey" to "backup passkey". Or backup whole database.

j / k navigate · click thread line to collapse