|
|
|
|
|
|
by ndriscoll
355 days ago
|
|
|
Right, that makes such a system unusable for normal people, so it is not a good thing to force it upon them. The benefit is not clearly there because anything that can manipulate local memory can also just use the key directly, or if there's some kind of physical button press required, wait for the user to log in and then do whatever they want with the session cookie or alter page contents or do anything else it wants. If the token doesn't display what it's authorizing (e.g. a yubikey), you could also watch for any usage, block that request to the device, and instead auth against their bank. If you need multiple button presses (e.g. they need to press again to confirm a transfer), say there was an error and ask them to try again. Normal people are however not concerned with these Mission Impossible scenarios, and random passwords are good enough while being easy to use without an IT department to fix when it goes wrong. A password manager (which every browser has built in) already associates passwords to domains for phishing resistance. Users already should never need to enter a password manually unless the site did something stupid to try to block the password manager from working. |
|
|
Whut? Passkeys work perfectly fine for "normal people".
> The benefit is not clearly there because anything that can manipulate local memory can also just use the key directly
Correct. But it does require fairly high level of system access. Hardware-bound keys also allow full hardware-attested authentication.
> Normal people are however not concerned with these Mission Impossible scenarios, and random passwords are good enough while being easy to use without an IT department to fix when it goes wrong.
If you're using truly random passwords, then you're using a password manager. And if you're using a password manager, then why not just use passkeys?
All the popular password managers support them: BitWarden, 1Pass, iCloud Keychain, even LastPass.