Hacker News new | ask | show | jobs
by mort96 543 days ago
The phishing site will just ask you for a password, maaaaybe with some text explaining some BS reason why you can't use your passkeys but if it's a website which the user knows they have a password to, the kind of person who's prone to non-targeted phishing attacks likely won't even think to question why the passkey thing didn't trigger.
1 comments
ylk 543 days ago
Honestly don’t care to spend time on looking up the various states of 2fa proxies. But I’ve learnt so far that attackers don’t build/use the most advanced tooling you can think of at all times. They often use the simplest thing that gets the job done. If it’s not targeted, it’s fine to not get the credentials of people with a passkey. Up until a significant portion of targets use passkeys, which I highly doubt to be the case as of now.

Additionally, “the kind of person who's prone to non-targeted phishing attacks” is actually everyone — including infosec professionals spending lots of time on phishing campaigns for red team engagements. You just need to be lucky enough to reach them at the right (emotional, stressful, …) moment. Getting grammar and spelling correct and even potentially even slightly customising each email is made much easier by AI. Knowledgeable users might, however, stop once their passkey doesn’t work and try to understand why.

link
mort96 542 days ago
Okay? What relevance is this, if the phishing site just asks for a password then some users will enter their passwords even if they also have a passkey for that service. They aren't "not getting the credentials of people with a passkey", they are "not getting the credentials of some of the people who remember that they have a passkey and get extra suspicious because the passkey thing doesn't pop up".
link
ylk 542 days ago
I’m saying most people who do phishing likely don’t care to implement passkey detection to display a relevant error message to the user, as it’s not worth the effort, as of now
link
mort96 542 days ago
Which means they'll just ask for passwords, which users will happily input since they know they have a password for the service.
link