Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.
Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.
Wait, haven’t some sources been touting how ultra-secure and unbreakable passkeys are? And now we find that they’re susceptible to comparatively simple MITM attacks?
This is just someone siting in the middle and modifying a page not to show the passkey login option anymore and then stealing a password/session token.
As far as I can tell, this has almost nothing to do with passkeys specifically and would only apply in a situation where a website has a username and password fallback in case a passkey isn't created or isnt working.
If The Next Big Thing can be sidelined by simply blocking its login option, that’s a problem. Not only is it not secure, it’s not even reliably usable.