Hacker News new | ask | show | jobs
by lxgr 962 days ago
> Why can't passkeys just be strings that I can extract via biometric authentication?

As much as that lock-in annoys me personally – I could absolutely see this become a tech support scam attack vector. "Please share your passkey with us for authentication by going to your device's settings and selecting the 'export passkey' option"...

> you can always just add a new device via other established factors (email/SMS)

That gives the relying party some agency about requiring additional authentication to add devices though, of treating devices added under dubious circumstances as less trusted, or simply of sending a security notification to the customer.

Exporting a passkey leaves no relying-party-side traces.
3 comments
SheinhardtWigCo 962 days ago
> "Please share your passkey with us for authentication by going to your device's settings and selecting the 'export passkey' option"

This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

> Exporting a passkey leaves no relying-party-side traces.

Not if it's only useful for getting a device-bound session token. Everything you listed is already commonplace.

link
jesseendahl 962 days ago
>This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

Exactly, that's the problem lxgr is pointing out. Those six-digit codes can (and often are) phished by e.g. tech support scam attackers. lxgr is pointing out the same exact attack could be done against an exported passkey.

link
hedora 962 days ago
So you’re saying this phishing attack:

We have to rename and re-enroll your device token so your laptop can still log in.

Click “I registered this credential” when you get the alert about it so your old credential that you added before will still work.

Is harder to pull off than:

Go to your password manager and export the entire database locally stored passwords. Now, print it out and read this 200 character string to me over the phone, or just email the file to me.

link
veeti 962 days ago
Can't we just put a 100px blinking red text that says "Do not share this with anyone or it's your own fault" and be done with it?
link
lxgr 962 days ago
It would be great if that were actually 100% effective, but unfortunately phishing still happens despite such warnings.

In a situation where a message on a screen tells a person to do x, and a person on the phone tells them to disregard it because it’s a computer error or whatever and do y, some percentage of people will do y.

The only way to prevent that is for there to be only one option – the safe one. Sometimes that has unacceptable other implications of course; this might well be such a case.

link
magicalhippo 962 days ago
> In a situation where a message on a screen tells a person to do x, and a person on the phone tells them to disregard it because it’s a computer error or whatever and do y, some percentage of people will do y.

It's the human version of prompt injection attack.

link
GoblinSlayer 962 days ago
Rename "export passkey" to "backup passkey". Or backup whole database.
link