Hacker News new | ask | show | jobs
by josephcsible 239 days ago
The point of passkeys is to protect against phishing and password reuse. You can't protect against local compromise, even if your passkeys are stored in something like a YubiKey, because once you log in to your bank with your hardware-backed passkey, the malware on your computer could use the session you started to transfer all of your money out of your account.
2 comments
ngrilly 239 days ago
That’s why most banks ask you to approve transactions with an explicit reauthentication.
link
josephcsible 239 days ago
Then the malware will just wait until you want to do something legitimate that needs that, and then swap it out for its own thing.
link
wbl 239 days ago
But it can't maintain that compromise. That's important.
link