[acdha]

This specific example is poor sanitization because it actively misleads the users who try to understand what they’re clicking on.

Your example of the generic confusion around host names and domains is a harder problem but people have tried to mitigate it somewhat by doing things like highlighting the domain name portion. Like most phishing techniques, passkeys will end it eventually.

[paulryanrogers]

> Like most phishing techniques, passkeys will end it eventually.

This assumes passkeys will be widely adopted. And that users will know to stop wherever the passkey doesn't work. I have doubts about both.

[acdha]

Your first assumption is dubious: Apple, Microsoft, and Google all have well-integrated support and usage is increasing on mainstream sites. It seems unlikely that there will be strong popular backlash against something which is easier to use in addition to being safer.

The second is flat out wrong. Passkeys and U3/F/FIDO2 do not depend on the user at all. Even if I completely fool you, the credential you get for example.com cannot be used on example.org because the protocol incorporates the host name. That’s why the security community is pushing them since phishing is so common and this shuts that down entirely. The attacks now tend to involve getting people to downgrade to password + SMS/TOTP so the more those fade from common usage the better everyone will be.

[jpc0]

So Google and Amazon have support, and it seems depening on which AB group you are in Apple does too?

I think it is a significant benefit and likely to be implemented specially concidering client support is already there and there are good libraries available to do it.

[paulryanrogers]

Large providers have supported other standards and not seen uptake. I'll believe it if/when it happens.

Lack of understandably is the primary downside of passkeys, and I doubt it will be overcome in this decade. Authentication is like investing, one must understand the options for it to be effective.

[acdha]

There’s plenty of inertia but if you haven’t tried it, the experience on Apple devices is pretty easy to understand and fast: “Do you want to sign in with Face ID for the web?” takes less time than weakening your password to suit some site’s policy, and it’s much faster and easier than dealing with any other form of MFA. At least for sites required to have MFA, that inertia is going to win out faster than we think because ordinary people hate things like TOTP codes and stuff like SMS/email codes will trigger accessibility complaints.

[jpc0]

Understating isn't too though for me.

I click a button, my phone/computer asks for biometrics etc and the passkey is loaded.

When more poviders make it a default it will be even better. This isn't like enrolling 2fa, its more akin to hardware tokens without th hassel of carrying around a hardware token...

[jeroenhd]

Passkeys work, password managers with autofill should also work. You can override password managers, but "why can't I find my credentials" makes you look at the URL again at least once.

For Bitwarden, this will be the hostname, and as such, will tell you that you don't have any passwords for moc.margatsni.nl

There are design issues at play here, but mitigations for most types of phishing are already available. Websites need to implement Passkey support, but any username+password website should work perfectly fine with password managers.