Cybersecurity @sh.itjust.works BrikoX @lemmy.zip 4d ago

Passkey Redaction Attacks Subvert GitHub, Microsoft Authentication

www.darkreading.com Passkey Redaction Attacks Subvert GitHub, Microsoft Authentication

Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

14 comments

Wait, haven’t some sources been touting how ultra-secure and unbreakable passkeys are? And now we find that they’re susceptible to comparatively simple MITM attacks?
- This is just someone siting in the middle and modifying a page not to show the passkey login option anymore and then stealing a password/session token.
  
  As far as I can tell, this has almost nothing to do with passkeys specifically and would only apply in a situation where a website has a username and password fallback in case a passkey isn't created or isnt working.
  
  I haven't started using passkeys yet because I haven't looked into them. Sell me on them?
  
  If The Next Big Thing can be sidelined by simply blocking its login option, that’s a problem. Not only is it not secure, it’s not even reliably usable.

14 comments