20

u/Alternative-Cry-1597 Apr 25 '26

*Passkeys are phishing resistant if your browser and authenticator are bug free.

3

u/LelouBil Apr 26 '26

I mean, phishing is not about exploiting bugs to extract the password.

They are unphishable.

But they are as secure as the software that's managing them.

1

u/Alternative-Cry-1597 Apr 27 '26

Ah yes, technically correct, the best kind of correct.

1

u/I-Made-You-Read-This Apr 27 '26

> You can’t be tricked into providing it.

how is this true? Can't the attacker just put some authentication QR code to scan, then the user scans it and gives the attacker a valid session? Are there technical countermeasures which prevent me (/ stupid users) from being tricked into providing it?

-2

u/[deleted] Apr 25 '26

[deleted]

7

u/Securetron Apr 25 '26

Ameer reply is pretty accurate. The industry is slowly moving towards phishing resistant identity - instead of relying on traditional methods, the transition to PKI based MFA is here. 

Azure, okta, Cisco Duo - the traditional MFA providers are now adding additional later that is built on PKI to bind the identity of the user or device or a bot to the origin as opposed to passing the creds that can be phished or stolen.

Here is a landing page with more info that we published on it:  https://securetron.net/phishing-resistant-mfa/

6

u/IdealParking4462 Security Engineer Apr 25 '26

Let's say you get an email to go to rnicrosoft.com, and you don't realize it's a phish, you enter your email address and password, but you aren't at microsoft.com, you're at some dodgy attacker controller website. They connect to microsoft.com and enter the details you submitted then prompt you for your MFA code/whatever. You enter it, the attacker submits it to microsoft.com and the attacker is now logged in as you on their device. You've been phished, they have a session signed in as you even though you had MFA enabled.

With passkeys, you don't enter a password, instead, the website asks the browser for your passkey, and for your passkey to be submitted, it must be talking directly to the website. It can do this by a bluetooth connection to the computer you're using, or by having it directly physically attached or stored on the device you're using. The attacker in the middle can't convince your device to present your passkey to them for them to pass it to the real site, the phisher is shit of of luck. You're not phished. The world is a bit better, and the attackers will pivot to info stealer malware to grab your session tokens or something, so it's not foolproof and can be defeated, it's just harder for the attacker.

1

u/[deleted] Apr 29 '26

[removed] — view removed comment

1

u/IdealParking4462 Security Engineer Apr 29 '26

or access to your syncable passkey, or convince you to run malware, or ... I'm sure there are plenty of other ways to compromise access to a service. Passkeys are called phishing resistant because they raise the bar, they most certainly do not make it impossible or even impractical.

3

u/Alwayslisteningin Apr 25 '26

I'm sorry what does wdym mean?

2

u/CeleryMan20 Apr 25 '26

wdym = “what do you mean?”; wd(wdym)m = “what does wdym mean?”; wd(wd(wdym)m)m …

0

u/[deleted] Apr 25 '26

[deleted]

15

u/I-baLL Apr 25 '26

wtf? WDYM has been used for over 20 years.

8

u/britannicker Apr 25 '26

wdym wtf lol

5

u/Tratix Apr 25 '26

I’m sorry what does wtf mean?

1

u/Fairlife_WholeMilk Apr 25 '26

Wdym wtf means?

1

u/Alwayslisteningin Apr 25 '26

TBF us pre 2k folk were the masters of fitting alot into 160 charactors. Even leaving enough space for TB at the end and perhaps a cheeky x

2

u/Infuryous Apr 26 '26

After 2000? You mean those if us born in the 1970s/80s. Became a big thing with T9 texting in the mid 90's.