undefined | Better HN

0 pointsFargren10mo ago0 comments

I don't see how that's worse than user-password authentication. For password without 2FA the attack pattern is

1) User goes to BAD website and signs up (with their user and password). BAD website captures the user and password

2) BAD website shows a fake authentication error, and redirects to GOOD website. Users is not very likely to notice.

3) BAD uses user and password to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.

OK, with a password manager the user is more likely to notice they are in BAD website. Is that the advantage?

0 comments

2 comments · 2 top-level

dan-robertson10mo ago

Most password managers are fussy about which websites they fill the password in on. It’s partly a convenience feature to only show relevant accounts but it’s also a security feature to avoid phishing.

Passkeys are stronger here because you can’t copy and paste a passkey into a bad website.

samsk10mo ago

Can happen, but on the BAD website will the password manager not offer saved password, so user has higher chance of noticing smth. is wrong. Of course if he uses pass manager with complex passwords...

j / k navigate · click thread line to collapse