2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”
3) BAD’s bots start a “Sign in with email one-time code” flow on the GOOD website using the user’s email.
4) GOOD sends a one-time login code email to the user’s email address.
5) The user is very likely to trust this email, because it’s from GOOD, and why would GOOD send it if it’s not a proper login?
6) User enters code into BAD’s website.
7) BAD uses code to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.
This is why “email me a one-time code” is one of the worst authentication flows for phishing. It’s just so hard to stop users from making this mistake.
“Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious. However, if some popular email service suddenly decides your login emails or the login link within should be blocked, then suddenly many of your users cannot login.
Passkeys is the way to go. Password manager support for passkeys is getting really good. And I assure you, all passkeys being lost when a user loses their phone is far, far better than what’s been happening with passwords. I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
t_mann · 6h ago
The problems of Passkeys are more nuanced than just losing access when a device is lost (which actually doesn't need to happen depending on your setup). The biggest problem are attestations, which let services block users who use tools that give them more freedom. Passkeys, or more generally challenge-response protocols, could easily have been an amazing replacement for passwords and a win-win for everyone. Unfortunately, the reality of how they've been designed is that they will mainly serve to further cement the primacy of BigTech and take away user freedom.
tialaramex · 6h ago
Do you have some examples where people actually require attestation in 3rd party facing systems? Or is this purely "But in theory..." and you've dismissed all the very real problems with the alternatives because you're scared of a theoretical problem ?
I always reject attestation requests and I don't recall ever having been refused, so if this was a real problem it seems like I ought to have noticed by now.
tux3 · 6h ago
Microsoft Entra ID goes out of its way to enforce attestation for FIDO 2 keys.
The protocol normally allows you to omit the attestation, but they worked around an extra call after a successful registration flow that sends you to an error page if your FIDO2 passkey isn't from one of these large approved vendors: https://learn.microsoft.com/en-us/entra/identity/authenticat...
I found out by trying to prototype my own FIDO2 passkey, and losing my mind trying to understand why successful flow that worked fine on other websites failed with Microsoft. It turns out, you are not allowed to do that.
tialaramex · 21m ago
I don't work in August, so I can't (well, won't) check, but my boss had the infrastructure team turn on FIDO2 for the mandatory 2FA on our administrative accounts and I do not remember having any problems with this.
I do remember explicitly telling them (because of course having agreed to do this they have no idea how and need our instructions) not to enable attestation because it's a bad idea, but you seem to be saying that it'll somehow be demanded (and then ignored) anyway and that was not my experience.
So, I guess what I'm saying here is: Are you really sure it's demanded and then ignored if you turn it off from the administrative controls? Because that was not my impression.
frameset · 2h ago
To defend Redmond here, Entra is an enterprise system. If the company you work for or are interfacing with wants to enforce attestation, that's their business.
B2C I would expect more latitude on requiring attestation.
Zak · 1h ago
A problem is that once a thing like that exists, it ends up on security audit checklists and then people do it without knowing whether they have any reason to.
technion · 2h ago
I would counter argue being the person pushing passkeys in an enterprise: noone in the business knows what attestation is, but we're going to do it because the interface recommends it.
eadmund · 1h ago
Don’t put in place systems which encourage lock-in, even at the B2B level.
lmz · 1h ago
Aren't those usually used inside an enterprise vs B2B between enterprises?
rcxdude · 4h ago
Ah, and even if you can turn it off as the administrator, you still need to include the attestation, it's just not checked. Gotta love Microsoft...
t_mann · 6h ago
Passkeys are in their infancy. You don't go about rolling out such patterns when most users haven't even switched yet and big players like Apple are still resisting attestations (last time I checked). The problem is that the feature is there and can be (ab)-used in this way, so it should be rejected on principle, irrespective of whether it's a problem right now.
I understand the value of attestations in a corporate environment when you want to lock down your employees' devices. But that could simply have been handled through a separate standard for that use case.
drdaeman · 5h ago
At the very least the spec should be painstakingly insistent on not requiring attestation unless implementors have really thought and understood the reasons why they need the security properties provided by attestation in their particular use case. And that it has to be something more meaningful than “be more secure this way” as security is not a rating (even though security ratings exist) but a set of properties, and not every possible security guarantee is universally desirable (please correct me if I’m wrong here, of course), and at least some are not without downsides. Maybe even strongly recommend library authors to pass the message on.
t_mann · 5h ago
I agree, but unfortunately the spec authors are already going out and dangling possible bans in front of projects who implement Passkeys in more user-friendly ways:
> To be very honest here, you risk having KeePassXC blocked by relying parties
But having a choice about how you store your credentials shouldn't depend on the good faith of service providers or the spec authors who are doing their bidding anyway. It's a bit similar to sideloading apps, and it should probably be treated similarly (ie, make it a right for users).
growse · 4h ago
There's a tension here between "user freedom" and a service wanting to make sure that credentials that it trusts to grant access to stuff aren't just being yolo'd around into textfiles on people's dropboxes.
People forget that one of the purposes of authentication is to protect both the end user and the service operator.
eredengrin · 4h ago
Sure, but as long as the fallback for account recovery is sending a reset email or sms (both of which are similar or worse than yoloing textfiles on dropboxes), that's a very tough argument to make in good faith.
account42 · 2h ago
What people do on their own computer is none of the service's business.
growse · 50m ago
It is if it puts the service at risk.
nyeah · 31m ago
Note the scare quotes around user freedom. Perhaps user freedom is a notorious fake issue, a bizarre misconception, or an exotic concept that nobody understands.
growse · 13m ago
I don't know what "scare quotes" are. They're just regular quotation marks, because I'm quoting.
nyeah · 11m ago
Sure, I stand corrected, you "don't know" what I'm talking about.
sam_lowry_ · 4h ago
The exact point of passkeys is to remove all rights from users )
charcircuit · 2h ago
Ensuring it's not possible for remote attackers to easily steal users passkeys is not "removing all rights" for someone. It is setting a security bar you have to pass. One user's poor security can have negative effects on not just them but the platform itself.
account42 · 1h ago
You don't need attestation to allow users to secure their passwords.
charcircuit · 2h ago
Reducing passkeys to the security level of passwords is not just "making something user friendly". It's undoing all of the hardware everyone else in the ecosystem is putting into to making a more secure way for authentication to be done.
zekica · 2h ago
How exactly is this "reducing the security level to those of passwords"? For example: you can't use a passkey on attacker's web site even if you have a plaintext copy of the private key.
charcircuit · 2h ago
I'm not following. The issue is about it being used for the site the private key is for. The attacker's site is irrelevant here.
Systems are usually more open while they are trying to onboard users than they will be once the moat has been established.
We have already been through this with many services suddenly demanding that you give them your phone number "for security".
the_mitsuhiko · 2h ago
> Do you have some examples where people actually require attestation in 3rd party facing systems?
Austria's governmental ID is linked to 5 approved tokens only.
lmm · 6h ago
They're not going to start requiring them until they've phased out non-passkey login. But at that point it will be too late.
XorNot · 5h ago
I don't know why people don't see this coming: very obviously once Passkeys are everywhere, it'll become "we're requiring attestation from approved device bootloaders/enclaves" and that'll be your vendor lock in where it'll be just difficult enough that unless you stick with the same providers phone, you might lose all your passkeys.
growse · 4h ago
> very obviously once Passkeys are everywhere it'll become "we're requiring attestation from approved device bootloaders/enclaves"
This is far from very obvious, especially given that Apple have gone out of their way to not provide attestation data for keychain passkeys. Any service requiring attestation for passkeys will effectively lock out every iPhone user - not going to happen.
pas · 4h ago
Great. At that point there will be a real market niche for people who (can, want, might) think a bit different.
nyeah · 32m ago
Overly argumentative.
johncolanduoni · 1h ago
Why would BigTech care about the dozens of users using an open source password manager? What’s their gain from preventing these people from logging in? They love money and don’t care about user freedom, sure. But they’ve shown no evidence of hating user freedom on principle.
Every time I’ve seen them actually attack user freedom, there was an embarrassingly obvious business angle. Like Chrome’s browser attestation that was definitely not to prevent Adblock, no sir.
xg15 · 40m ago
Because they'd actively have to make their proprietary passkey systems interoperable with password managers. This is fail-closed, not fail-open: If they truly didn't care, they'd also be no incentive for them to implement support.
But I fear it's worse. Based on how past open standards played out, I find it believable they do care - that there won't be an open ecosystem of password managers.
> But they’ve shown no evidence of hating user freedom on principle.
Yes, they did, just see Microsoft's crusade against Linux and the origin of the "embrace-extend-extinguish" term.
bryanrasmussen · 49m ago
>Why would BigTech care about the dozens of users using an open source password manager?
I agree, why would BigTech care about those dozens of users. Screw those guys, they can use our password manager or they can get lost, we don't need them!
63stack · 1h ago
>Why would BigTech care about the dozens of users using an open source password manager?
Because big tech loves control. Just because you can't see the angle yet, it doesn't mean there isn't one now, or won't be one later. It has been shown time and time again that they will take all the freedom away from you that they can.
withinboredom · 1h ago
> Why would BigTech care about the dozens of users using an open source password manager?
Bots using a custom password manager to share logins.
tux3 · 1h ago
If all you want is to make a bot that can use passkeys automatically, add a transistor between your Yubikey's touch button and GND. When you turn the transistor on, the capacitive sensor is activated.
Now the Yubikey is just an API you can call, websites cannot tell the difference. You can't export keys, but a bot can add new keys after using existing keys to log in.
withinboredom · 1h ago
this doesn't work on stolen aws accounts though /s
smallerfish · 2h ago
> Passkeys is the way to go. Password manager support for passkeys is getting really good.
I set up a passkey for github at some point, and apparently saved it in Chrome. When I try to "use passkey for auth" with github, I get a popup from Chrome asking me to enter my google password manager's pin. I don't know what that pin is. I have no way of resetting that pin - there's nothing about the pin in my google profile, password manager page, security settings, etc.
uyzstvqs · 1h ago
Passkeys are the pinnacle of bad UX. It just works, until the user tries to switch devices, accounts or platforms. The slogan of passkeys should be something like "I don't have a password, it usually just works, but now I changed X and it doesn't work anymore". Even worse is hardware-based 2FA built into smartphones (also FIDO), as you lose your phone in a lake and now you can't access anything anymore.
The way to go is an encrypted password manager + strong unique random passwords + TOTP 2FA. It's human-readable. Yes, that makes it susceptible to phishing, but it also provides very critical UX that makes it universal and simple.
johncolanduoni · 1h ago
Apple’s works fine, including when I’m logging on to my windows machine. Opening the camera app is a little annoying, but I don’t have to do it frequently. 1Password works well too and it runs on everything. There’s open source options, but I can’t attest to their UX.
smallerfish · 1h ago
That's fine, but Chrome has 67% market share, and the majority of people will pick the default option for passkeys if prompted. For passkeys to replace passwords it's got to be seamless and easily recoverable without compromising security.
yunwal · 50m ago
> the majority of people will pick the default option for passkeys if prompted
Especially since Google doesn’t allow you to change your personal default which is what convinced me to go and switch all my accounts off of Google SSO
airstrike · 28m ago
Yes, it really is a shame that Google Chrome has dominated the market since the very first browser was created.
PartiallyTyped · 16m ago
I use protonpass and it’s great, carried across all my devices and browsers.
Hnrobert42 · 2h ago
That is unfortunate, but that sounds more like a chrome problem than a passkey problem. You would have the same issue if chrome saved your password.
kmac_ · 1h ago
Passkey is a great example of how five kitchen chefs can't make scrambled eggs. Horrible user experience, terrible marketing, no mental model like "your phone is THE key," no tangible or even symbolic presentation of the key.
acdha · 44m ago
That’s a lot of anger without a substantial argument. For Apple users, for example, the user experience is very smooth and the mental model is “I use iCloud to store my passcode just like I use iCloud to store my passwords”. If you use 1Password, you’re changing iCloud for 1Password instead.
spixy · 1h ago
Google password manager's pin?
On my Windows laptop that is Windows Hello PIN, not sure about other OSs. And it can be disabled.
zozbot234 · 3h ago
> I'd rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
The problem is that I can physically show up at my local bank branch or at my job's IT helpdesk to get my account back, but I can't show up at the Googleplex or at Facebook's or Xitter's HQ and do the same. Device bound passkeys are very error prone for the latter scenario, since users will fail to account for that case.
boredhedgehog · 6h ago
> Passkeys is the way to go.
I wish there was a stronger differentiation between syncable and device-bound passkeys. It seems like we're now using the same word for two approaches which are very different when it comes to security and user-friendliness.
And yes, giving granny unsyncable passkeys is a really bad idea, for so many reasons.
mths · 3h ago
> I wish there was a stronger differentiation between syncable and device-bound passkeys.
But there is no difference. I'd prefer if services just let me generate a passkey and leave it entirely up to me how I manage it. Whoever setup granny's device should have done so with a cloud based manager.
I think Google tries to make some confused distinction, or maybe that has more to do with FIDO U2F vs FIDO2. There you can add either a "passkey" or a "security key", but iirc I added my passkey on my security key so... yeah
valenterry · 5h ago
> Passkeys is the way to go
No, at least not on its own. Let's not repeat the mistakes.
Password managers are the way to go and ONLY FOR RARE EXCEPTIONS we should use dedicated MFA, such as for email-accounts and financial stuff. And the MFA should ask you to set up at least 3 factors and ask you to use 2 or more. And if it doesn't support more or less all factors like printed codes, OS-independent authenticator apps and hardware keys like yubikey, then it should not be used.
pyrale · 4h ago
We need to go further. If a service doesn't include 197 factors including blood samples, showing up at a physical location 50 miles from your home, and sending a picture of yourself in a specific posture, and doesn't require you to use at least 53 of them (determined randomly) to login, then it's insecure and should not be used.
doublerabbit · 2h ago
Sounds like something the UK gov would love to implement, plus extra.
Such as finding a dinosaur fossil of your families name clan.
degamad · 4h ago
Passkey are more like password managers, and less like MFA tokens - despite the fact that many passkey implementations can function as MFA tokens as well.
Bitwarden the password manager includes a full passkey implementation, which doesn't involve any MFA.
valenterry · 4h ago
> Passkey are more like password managers, and less like MFA tokens
No:
- I can always export and import all my passwords from/into my password manager
- My passwords always work independently of a password manager or any specific app/OS/hardware
That is not true for passkeys and makes them much more like tokens. Of course they don't have to be used in MFA, just like passwords.
dchest · 4h ago
If you like password managers, you'll love passkeys!
Passkeys is an interface between your password manager and a website without all the fluff with filling or copy-pasting passwords.
valenterry · 4h ago
No need to write like that. I know, understand and use passkeys for quite a while now.
I don't love them. I don't love passwords either.
But while I don't fear passwords, I fear passkeys. The reason is that it makes the tech even more intransparent. My password manager stops working, completely dies or I can't use it anymore for other reason? No problem, I can fallback to a paper list of passwords if I really have to. This transparency and compatibility is more important than people think.
Passkeys lack that. They can be an interface like you described, but only if everyone plays along and they can be exported. But since there is no guarantee (and in practice, they often cannot be exported either) they are not a replacement for passwords. They are a good addition though.
Unfortunately, many people don't understand that and push for passwords to begone.
Flimm · 3h ago
What about server-generated passwords, like API keys? That would solve the main problem with passwords, namely, that people reuse the same weak password everywhere. I doubt it would be as popular as user-selected passwords, but I still wonder why no website has tried it.
dchest · 3h ago
How is that different from a passkey's private key, apart from being less secure?
It's literally something like
hnkTKS7h2WCOBr3CxSKM51cSVKSkiKOSlQsMhtRZ0CU
stored in the password manager.
syhol · 2h ago
A passkey import/export standard is in the works. Once I know I can backup everything in a keepass database I'll be much happier.
valenterry · 2h ago
True. Still, the difference is that with passwords, no one can stop you from "exporting" it. With passkeys, it could be changed, and the power for that lies in the hands of only a few vendors. It's still a bit concerning if they replace passwords forcefully.
RHSeeger · 20m ago
I love password managers. I dislike passkeys. So clearly that's not the case.
dur-randir · 4h ago
Let me decide for myself what must I love.
account42 · 1h ago
Also without all that pesky privacy and choice of what you run on your own computer.
jghn · 4m ago
If the target was not actively trying to log into GOOD at that exact moment, why would they treat this as anything other than one of a phishing attempt or spam?
yoz-y · 5h ago
I don’t like passkeys. Before my process to login was:
- open website
- if not already logged in, log in to 1Password
- autofill password
- autofill TOTP
Now:
- open website
- if logged in to 1Password the Use Passkey usually shows up
- if not:
- log in to 1Password
- choose use passkey
- this almost always does nothing
- choose “use other method”
- choose “password”
- autofill that
- now there is another dialog to choose the 2fa method, choose Authenticator
- autofill that
Passkeys would be great if they actually made anything simpler on a computer. They work fine on the phone but that’s not where I spend most of my time.
tecleandor · 3h ago
And if I'm not using passkey, but the web site detects I'm using a passkey-compatible browser or password manager, the site takes over and tries to "sell" me a passkey anyway. No, I don't want it!
al_borland · 23m ago
It’s also confusing if I’m being promoted to use an existing passkey or if I’m being promoted to create a passkey.
Now that I’m so paranoid about this, and not remembering which sites I have them for, I always dismiss the passkey prompt, then have to click several more times to get to the password login and fill it in with my password manager.
geden · 4h ago
Passkeys work very smoothly with Safari and Apple Passwords.
Apple Passwords now sufficiently good to replace 1Password for me and I’m slowly transitioning.
I don’t mind subscription models per se but there was something about subscription for your own passwords that made me refuse to jump the fence when 1Password switched to that model.
Would be a bit faffy if you’re a Chrome user.
jonplackett · 4h ago
It works fine until you dare to have TWO accounts for the same website. Safari will just randomly pick one of them and always tray to log you in with that passkey every time you visit, and the interface for using a different one is really annoying.
al_borland · 19m ago
I stick with 1Password, because I don’t want my password manager to be part of the barrier to using other platforms.
I also have a bunch of stuff in 1Password that doesn’t have a home in Apple Passwords, which would be a problem.
And yes, Chrome with Apple Passwords is annoying. At work I’m forced to use Chrome for some things, and I’ve been dabbling with Apple Passwords. Every time I launch the browser I have to put in a code to link the extension with Passwords. It’s very annoying.
xobs · 2h ago
I've never gotten passkeys to work on the Mac. Every time I try it with either Firefox or Safari says I need to log into iCloud, which I really don't want.
kelnos · 4h ago
... or like most people, and not a Mac user.
hgomersall · 4h ago
Or anyone that thinks a monoculture is bad and that perhaps we shouldn't trust a single vendor with everything important.
agos · 3h ago
that says more about 1Password than about passkeys. With 1Password I often get "does nothing" when trying to autofill good old regular passwords
arccy · 4h ago
That just sounds like you made a poor choice of password manager that doesn't put a priority on good ux...
roelschroeven · 3h ago
> “Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious.
"Click a link in the email" is really bad because it's very difficult to know the mail and the link in it are legitimate. Trusting links in emails opens to door to phishing attacks.
johnisgood · 3h ago
Yeah, I was frowning when I read that. It is not any better at all, not even a tiny bit.
ramraj07 · 3h ago
I know not to click links on random emails but comfortably click links on emails I initiated from a website.
roelschroeven · 3h ago
How do you know the email comes from that website? There are known cases of phishing mails being sent when people expect a legitimate mail.
Yeul · 2h ago
If someone hacks my account and starts ordering stuff on bol it's not my problem but the company's so I don't sleep over it.
The company doesn't care either because fraud is just the cost of doing business- ease of ordering> security.
Cthulhu_ · 3h ago
You do, but does the average user? Security's reliance on people's behaviour / knowledge / discipline should be minimal.
klipt · 5h ago
> I’d rather granny needs to visit the bank to get access to her account again
Visiting the bank is fine. But who do you visit to recover your Gmail password?
probably_wrong · 3h ago
For the record, if you're in the EU you can make a GDPR request to their Data Protection Officer - since it's your data what's being kept away from you, you have the right to at least a backup.
It can take months and it only guarantees a backup, not full access, but it's better than nothing.
Arwill · 13m ago
Mobile phone App/Passkey authentication is just a way to pass the responsibility down to users. Losing a phone today is not just losing the passkey, there are "login with QR-code" schemes too, which do not need a password at all. It is a bad trend to pass all security onto the physical phone.
netcan · 2h ago
Good points but dont underestimate "granny needs to visit the bank to get access to her account again" as a problem.
For a lot of people, dealing with (now mostly digital) bureaucracies is a major stress in life. The biggest one, for some.
Its not just about invonvenience. Its sometimes about losing access to some, and just not having it for a while.
In terms of practical effect, a performance metric for a login system could be "% of users that have access at a given point." There can be a real tradeoff, irl, between legitimate access and security.
On the vendor side.. the one time passwords fallback has become a primary login method for some. Especially government websites.
Customer support is costly and limited in capacity. We are just worse at this than we used to be.
Digital identity is turning out to be a generational problem.
nicce · 3h ago
> Passkeys is the way to go. Password manager support for passkeys is getting really good. And I assure you, all passkeys being lost when a user loses their phone is far, far better than what’s been happening with passwords. I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
I am waiting for the era when using passkeys is not depending from some big tech company.
Yizahi · 2h ago
If attacker would fool me at one website he will get that one account (possibly forever) and that's it. If it is a bank connected account, I can intervene and change email/account by writing a physical request to the bank for example, call the bank, do something. And likely it will be only a single bank account. But it may be even some unrelated account. Maybe it will be my Amazon account and all the attacker gets is some ebooks. Or Steam account. Or some email without important links. Etc.
Point is, the damage will be likely local to a single or a handful of accounts.
If all the accounts are protected by two factor on my phone and I lose it or it bricks, then I'm done. It will be a total mess with no paths to recover, except restarting literally everything from scratch.
I have Google Auth app on my phone and every few months I consider using it, but then reconsider and stay with passwords.
Aaargh20318 · 2h ago
> I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
But granny can't go to a bank because they closed down most of their offices. Since 99% of what you need a bank for can be done using their app it no longer made financial sense to have a physical presence in most smaller towns and villages.
Lots of elderly were complaining about this when it happened because they were too lazy to learn how to use the bank apps. Hell, they already started complaining when you could no longer withdraw money at the desk even before they closed down the offices. Apparently even learning to use something as simple as an ATM was too much effort for them.
al_borland · 28m ago
Isn’t clicking on a link in an email also problematic? It gets users in the habit of trusting links in emails. There is a history of those being used in bad ways as well.
I still don’t really understand what recovery looks like for a lost passkey… especially if I lose all of them. Not everything has a physical location where an identity can be validated, like a bank. Even my primary bank isn’t local. I’d have to drive about 6 hours to get to a branch office.
Uvix · 26m ago
The recovery of a lost passkey is the same as a lost password.
DougN7 · 8h ago
It sounds good, unless granny needs to visit Google or Microsoft to get a new password after losing her phone. Then what??
patrakov · 5h ago
The scary part is not about losing her phone. It's about having to keep the old, no-longer-secure Android phone alive just for passkeys after getting a shiny (and secure) new iPhone.
charcircuit · 3h ago
You can add the new phone as an additional passkey. I don't see how this would be scary.
j1elo · 2h ago
I have 531 logins for varied websites and services. Would you enjoy having to change 531 passkey devices? Me neither. But default login flows in all these sites prompt you to use your current device as passkey by default, so people who don't know better (i.e. a general "everybody") are being gently pushed to do so.
charcircuit · 2h ago
No, which is why there is the cross platform standard CXF which allows for cross platform sharing of passkeys. Apple has announced that support for this is shipping later this year with iOS 26. Google hasn't announced when they are shipping it yet.
yunwal · 41m ago
Would’ve been nice if the basic UX would have been figured out before passkeys were shoved down everyone’s throats
reginald78 · 14m ago
It just wasn't an important consideration, unlike the attestation anti-feature.
elteto · 1h ago
So until then you have to do what parent said? Change each one individually when you switch devices? Thanks but no.
hgomersall · 4h ago
The problem here is really with Google and Microsoft than anything else. It's not like this problem doesn't occur already for other reasons.
drozycki · 8h ago
She follows same reset flow as before. Passkeys are identical in this respect to the passwords of yore.
cuu508 · 6h ago
If granny forgets her password, she looks it up on the last page of her notebook where it is written down. Granny cannot write down her passkey.
To avoid getting locked out you could add 2-3 passkeys from different providers to each account. And/or use a passkey provider that allows backups, and back up your keys. But I doubt many people will have the discipline to do either of that.
politelemon · 6h ago
Then that's worse, it's now two authentication flows to remember. It's only made the situation more complicated.
raphinou · 6h ago
Honest question: isn't that introducing some weaknesses, allowing the attacker to either reactivate password auth or add it's own passkey eh by tricking the user in accepting that change after receiving a mail with a link to accept that change?
That would make the passkey unbreakable, but leave other easier to exploit weaknesses.
izacus · 5h ago
No. You always need that flow.
jonplackett · 4h ago
The problem with passkeys is they’re very unfamiliar and it’s easier therefore for less experienced users to get confused or tricked.
rcxdude · 4h ago
Passkeys are more like 2FA, and many services disable password resets without 2FA if it's enabled.
account42 · 1h ago
Do you have any examples of such services? How do they handle the lost phone case? Tell people to go pound stand?
sriku · 8h ago
A while ago, I implemented a signin approach that looks similar to this "send a link/code" mode but (I believe) can't be exploited this way - https://sriku.org/blog/2017/04/29/forget-password/ - appreciate any thoughts on that.
Btw this predates passkeys which should perhaps be the way to go from now on.
richardwhiuk · 5h ago
One problem is you are requiring users to trust and click on a link in an email which is historically frowned upon. So you are undercutting phishing education.
dada78641 · 1h ago
This is a 100x better explanation than what's in the blog post. The blog post is practically a tweet.
__MatrixMan__ · 2h ago
Passkeys will be the way to go if we get them to remove the "attestation object" field from the protocol. Until then there's no way for Jimbob to tell the difference between:
> Website: is this Jimbob' phone
> Hardware: yes
And
> Website: I'll give you a dollar if you tell me something juicy about this user
> Hardware: Give this token to Microsoft and ask them
> Microsoft: Jimbob is most likely to click ads involving fancy cheeses, is sympathetic to LGBTQ causes, and attended a protest last week
With passwords and TOTP codes, I am in control of what information is exchanged. Passkeys create a channel that I can't control and which will be used against me.
(I chose Microsoft here because in a few months they're using the windows 10->11 transition to force people into hardware that locks the user out of this conversation, though surely others will also be using passkeys for similarly shady things).
florieger · 2h ago
How is it worse than using a password? I think I'm missing something, please explain.
1) User goes to BAD website.
2) BAD website says “Please enter your email and password”.
3) BAD’s bots start a “Log in with email and password” on the GOOD website using the user’s email and password.
4) BAD now has full access to the user’s GOOD account.
bmacho · 44m ago
I think GP has the following in mind:
- user has an account on GOOD.COM
- user has saved her password in her browser
- user navigates to BAD.COM
In this case autofilled passwords are safe and convenient since they alarm the user that she isn't at GOOD.COM.
A clickable link sent in email mostly works too, it ensures that the user arrives at GOOD.COM. (If BAD sends an email too, then there is a race condition, but it is very visible to the user.)
Pin code sent in email is not very good when the user tries to log in to BAD.COM.
jaggirs · 2h ago
In your example, the user is logging in to BAD.com, thinking it is GOOD.com.
In the OP's example, the user is logging in to BAD.com intentionally, but his GOOD.com account is still hacked into.
This is a lot harder for the user to catch on to.
account42 · 1h ago
Specifically, that OP describes sounds like a plausible log-in-with-big-tech-company flow that is really common these days.
Someone · 2h ago
People hopefully won’t reuse the username/password they use on GOOD to log into BAD, so the login that BAD does in step 3 will fail.
ericjmorey · 9m ago
Some percent of people will reuse their password. This is all but guaranteed.
michaelsshaw · 2h ago
Password managers can catch this case by not autofilling, hinting the user to take a step back and pay attention.
xg15 · 37m ago
There will not be a bank to visit.
geocar · 4h ago
> The attack pattern is:
There are lots of attack patterns. That is one. I am not certain I believe it is very likely, because (a) I think "sign-in partner" is obvious bullshit, and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but...
> Passkeys is the way to go. ... I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
... I do not agree your story is justification for passkeys, or for letting banks trust passkeys for authentication purposes. I'd rather she not lose access to banking services in the first place: I don't think banks should be allowed to do that, and I do not think it should be possible for someone to "steal all her money" so quickly -- Right now you should have at least several days to fix such a thing with no serious inconvenience beyond a few hours on the phone. I think it is important to keep that, and for banking consumers to demand that from their bank.
A "granny" friend of mine got beekeeper'd last year[1] and her bank reversed/cancelled the transfers when she was able to call the next say and I (local techdude) helped backup/restore her laptop. I do not think passkeys would helped and perhaps made things much worse.
But I don't just disagree with the idea that passkeys are useful, or even the premise of a decision here between losing all their money and choosing passkeys, I also disagree with your priors: Having to visit a bank branch is a huge inconvenience for me because I have to fly to my nearest. I don't know how many people around here keep the kind of cash they would need on-hand if they suddenly lost access to banking services and needed to fly to recover them.
I think passkeys are largely security-theatre and should not be adopted simply if only so it will be harder for banks to convince people that someone should be able to steal all their money/access with the passkey. This is just nonsense.
[1]: seriously: fake antivirus software invoice and everything, and her and her kid who is my age just saw the movie in theatres in like the previous week. bananas.
account42 · 1h ago
> I am not certain I believe it is very likely, because (a) I think "sign-in partner" is obvious bullshit
It's looks almost the same as the log-in-with-big-tech flow that users are already used to.
> and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but...
You enter it on the website you are trying to log into and where you initiated the action, which in this scenario is the BAD website.
Findecanor · 3h ago
> I am not certain I believe it is very likely, because (a) I think "sign-in partner" is obvious bullshit, and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but...
You and I think they are bullshit, but ... the problem is that bullshit is sometimes genuine.
I have got tired of how many times in recent years I have seen things that looked like phishing or had obvious UX-security flaws and reported them only to have got a reply from customer service that the emails and sites were genuine and that they have no intention of improving.
If janky patterns is the norm, then regular users will not be able to recognise the good-but-janky from the scams.
pavon · 4h ago
> I am not certain I believe it is very likely, because (a) I think "sign-in partner" is obvious bullshit, and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but...
Now replace email a with text message sent from a short-code.
pbhjpbhj · 17m ago
>(a) I think "sign-in partner" is obvious bullshit
Nearly every website tries to offer Google or Microsoft based sign in, "sign in partners" are commonplace.
rightbyte · 4h ago
It is all bananas. The old way with a local key on the computer and some silly Java program, a physical dongle to validate transactions with a number printed on a display, was way more fool proof.
Then the banks wanted you to use the dongle to verify yourself on phone and it all went downhill from there.
FabHK · 3h ago
> I don't understand why I would never enter a code into the wrong website
That's what phishing is predicated on, and it seems to be successful enough.
eadmund · 1h ago
> Passkeys is the way to go.
No, please, not as long as attestation is in the spec. I firmly believe that passkeys are intended to facilitate vendor lock-in and reduce the autonomy of end users.
Frankly, I do not trust any passkey implementation as much as I trust a GPG-encrypted text file.
raxxorraxor · 3h ago
I like capability URLs. I know an URL isn't a secret, but it works in practice and it works well.
A bad practice is the shorten the code validity to a few minutes. This cannot really be justified and puts users under stress, which lessens security.
The discussion around passkeys, who is and isn't allowed to store them, almost killed them for me personally. I use them for very, very few services and I don't want to extend it.
smallerfish · 3h ago
But you could replace #2 with "Enter your password from GOOD, as they are our sign-in partner". I'm not in favor of emailing 6 digit codes either, but your scenario presupposes that users will be willing to trust that two services have intermingled their auth, and in that case their password can be wrangled from them too.
No comments yet
kqr · 5h ago
Passkeys are still a shared secret, aren't they? Asymmetric cryptography would have been amazing. Barring that I would actually recommend Oauth or something like it, to limit the number of parties who manage shared secrets to a smaller set of actors who have more experience doing so.
kro · 4h ago
They are in fact public/private keys and use signing a challenge for authentication.
barrkel · 4h ago
But in practice they usually rely on attestation by an approved vendor, and the vendor won't let you control your private key, so they'll leverage it for lock-in.
growse · 4h ago
No, they're just resident webauthn credentials which use asymmetric crypto.
traceroute66 · 4h ago
> Passkeys is the way to go.
My problem with passkeys is that there is no hardware attestation like there is with Yubikeys and similar.
This means for security conscious applications you have no way of knowing if the passkey you are dealing with is from an emulator or the real-deal.
Meanwhile with Yubikeys & Co you have that. And it means that, for example people like Microsoft can (and do) offer you the option to protect your cloudy stuff with AAGUID filtering.
And similar if you're doing PIV e.g. as a basis for SSH keys, you can attest the PIV key was generated on the Yubikey.
You can't do any of that with passkeys.
thiht · 2h ago
I hate passkeys because even as a savvy user, I don’t know what to do with them. Do they replace my password? Do I need to generate one passkey per account and per device? How do I login on a new device? Are password managers still relevant with passkeys?
They’re too opaque for my taste and I don’t like them.
dominicrose · 3h ago
I'm not sure what kind of websites are vulnerable to these attacks, but websites that have double authentication seem pretty safe to me. And if you forgot your password, then you receive an e-mail to change it with a secure link.
This point means the user is not paying attention: 1) User goes to BAD website and signs up.
Steps 2-7 wouldn't be possible without 1.
j1elo · 2h ago
"User not paying attention" is ultimately the reason for most phising attacks. It happens a lot, and we're trying to solve it as the known problem it is. Everybody, and I say everybody are human beings at the end of the day (so far...) and so by definition, can have a bad day and lower their defenses. It has ironically even happened to reputated security specialists.
antaviana · 5h ago
If we are talking about real time phishing then sending a code to the email is as secure as a 2FA authentication with password and Google Authenticator code.
SethMurphy · 5h ago
Can you explain this more, I don't understand Google authenticator completely? Could a bad actor spoof a 2FA as they can with an email, and capture your input?
delusional · 5h ago
The attacker would just ask you for the TOTP code and forward that to Google.
jddj · 5h ago
In practice it's maybe slightly harder, because they'd have to convince a user to enter their google 2fa code into a site that isn't obviously google?
I'd imagine a convincing enough modal would do the trick though, in a lot of cases.
chii · 4h ago
> convince a user to enter their google 2fa code into a site that isn't obviously google?
if the BAD site itself looks legit, and has convinced a user to do the initial login in the first place, they won't hesitate to lie and say that this 2-factor code is part of their partnership with google etc, and tells you to trust it.
A normal user doesn't understand what is a 2factor code, how it works, and such. They will easily trust the phisher's site, if the phisher first breaks the user and set them up to trust the site in the beginning.
What google does is to send a notification to the user's phone telling them someone tried to access their account if this happened (or any new login to any new device you previously haven't done so on). It's a warning that require some attention, and depending on your state of mind and alertness, you might not suspect that your account is stolen even with this warning. But it is better than nothing, as the location of the login is shown to you, which should be _your own location_ (and not some weird place like cypress!).
johnisgood · 3h ago
If we are talking about TOTP, there is a time limit to that, which makes it harder, yeah.
Urd- · 56m ago
Not much harder. The state of the art of phishing right now is proxy based setups like evilginx which pass along credentials in real time. Then you just save the session cookie or change/add the 2fa mechanisms so you can get in whenever you want with the stolen credentials.
apt-apt-apt-apt · 4h ago
Would it be a viable and simple solution to only enter 6-digit codes into the specific website that requested it?
Isn't this the same thing as BAD asking, let us know the code i.e. password that GOOD gave you? Why would one be inclined to give BAD (i.e. someone else) this info?
FabHK · 3h ago
If you're phished, you're probably not checking the domain too carefully anyway.
You get an email, providing you with a phishing link for miсrosoft.com (where the apparent c is actually the cyrillic "s", so BAD). In the background, they initiate a login to microsoft.com (GOOD), who then send you a 6 digit code from the actual microsoft.com. If you were fooled by the original phishing website, you have no reason to doubt the code or not enter it.
kylehigginson · 4h ago
This came to my mind too. But by using a password manager it will be able to differentiate between the GOOD and BAD site. So I think the point is valid only if the user is not using a password manager.
pmontra · 2h ago
Or copy pasting passwords manually. In that case the password manager is equivalent to a list of passwords on a sheet of paper.
dogpuncher · 8h ago
I don't understand your example.
> 2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”
Does that mean that GOOD must be a 3rd party identity provider like Facebook, Apple, Google etc?
lmm · 6h ago
They don't have to actually be a 3rd party identity provider, just the user has to find it plausible that they might offer 3rd party login. Which, to be honest, pretty much any big or even medium-sized tech company might be doing these days.
hombre_fatal · 7h ago
No, BAD just inserts your email address on GOOD’s login page which sends you the login code, and they lie to prime you into thinking it’s not suspicious that the email came from someone other than BAD.
When you insert the login code on BAD, BAD uses it to finish the login process on GOOD that they started “on your behalf”.
Philpax · 7h ago
BAD is lying about GOOD and presenting GOOD's legitimate service as a mere IdP for BAD, such that the user provides their code for GOOD to BAD so that the latter can then automatically log into GOOD.
ErneX · 3h ago
There are sites that send you immediately a 6 digit code just by entering your email on their sign in page, they don’t even request a password. That means you could be phished on a fake website that when you enter your email there they do it on the real site, then you receive the real good code and enter it on the fake site.
johnisgood · 3h ago
It is just the same old stuff with username & password combination. I used to duplicate websites, they looked exactly like the original, except I was storing the entered username and password combination. I did this when I was a kid. The process is the same (or very similar) with everything else that is not a password.
ErneX · 1h ago
True, they do it to facilitate access to their site without a password, but personally I don’t like getting an email just because I entered my username to sign in (my password manager takes care of filling the form so that email with a code is unnecessary to me).
Almondsetat · 6h ago
This attack technique is called "real time phishing". If you need a diagram or a more detailed explanation, look it up
atoav · 6h ago
BAD assumes:
1. you got login credentials at GOOD
2. you're using the same email address there
They then tell you GOOD will send you a code that you have to enter on their website.
Then they enter your Email on GOOD and request a reset, which sends a mail with a code to you.
You then enter the code on their website.
Now that they have the code they can enter it on GOOD and they have your account.
rustystump · 6h ago
Links are more worse than otp but both can easily be secure if users check domain which users never do so links and otp are terrible. Long live passkeys.
klabb3 · 4h ago
> if users check domain which users never do
To be fair, can we blame them? There are so many legitimate flows that redirect like it’s a sport. Especially in payments & authn, which is where it’s most important. Just random domains and ping pong between different partner systems.
hulitu · 4h ago
> Passkeys is the way to go. Password manager support for passkeys is getting really good.
And how do you access your password manager when your computer is locked ?
Urd- · 55m ago
How do you access the phishing site when your computer is locked?
yunwal · 32m ago
On your phone
WithinReason · 3h ago
you can to the same with text messages, right? That's even more scary.
arccy · 4h ago
This is also the same problem with TOTP 2fa, passkeys are definitely the way to go for most people.
WesolyKubeczek · 5h ago
I guess this flow is even worse for authenticators like Duo or even Apple’s own iCloud logins with 2fa. You log on to a phishing site mimicking the real one, and your phone asks if it is you trying to log in. Yes of course it’s you logging in, but you don’t realize you’re logging in bad guys by proxy.
The prompts that show where the login is coming from are useless, too, because mapping from IP addresses to geographical locations is far from perfect. For example, my legit login attempts showed me all over my country map. If I’m in a corporate VPN already, its exit nodes may also be all over the map, and your legitimate login from, say, Germany may present itself as coming from Cyprus, which is shady as fuck.
If I seek to implement 2fa for my own service and have it be not theater and resistant to such phishing attacks, it gets difficult real fast.
continuational · 4h ago
Easy to mitigate by only allowing the device that requested the 6-digit code to use the code.
Edit: See first reply, this is not a mitigation at all!
chii · 4h ago
but the device is under the control of BAD. They fake a signin on their backend to GOOD. Your computer never touches GOOD at all, except from seeing the email from GOOD (which you're told about by BAD, and lied to about being a partner signin thing).
The problem being exploited by BAD is that your login account identifier (email in this case) is used in both GOOD (and BAD - accidentally or deliberately orchestrated), and 2-factor does not prevent this type of phishing.
avodonosov · 3h ago
The scheme is impossible, because the GOOD site says in the email "NEVER SHARE THIS ONE TIME CODE WITH 3RD PARTY APPS OR INDIVIDUALS"
pjc50 · 2h ago
You left out the /s tag. People don't read that bit.
avodonosov · 2h ago
/s tag?
Peope do read, if the email is short
account42 · 1h ago
They only read what they need to finish what they are currently trying to do, which in this case is the code they need to log in.
Perz1val · 3h ago
Phising = pretending you're the first party
avodonosov · 2h ago
Tuesday follows Monday
Fargren · 3h ago
I don't see how that's worse than user-password authentication. For password without 2FA the attack pattern is
1) User goes to BAD website and signs up (with their user and password). BAD website captures the user and password
2) BAD website shows a fake authentication error, and redirects to GOOD website. Users is not very likely to notice.
3) BAD uses user and password to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.
OK, with a password manager the user is more likely to notice they are in BAD website. Is that the advantage?
dan-robertson · 3h ago
Most password managers are fussy about which websites they fill the password in on. It’s partly a convenience feature to only show relevant accounts but it’s also a security feature to avoid phishing.
Passkeys are stronger here because you can’t copy and paste a passkey into a bad website.
samsk · 3h ago
Can happen, but on the BAD website will the password manager not offer saved password, so user has higher chance of noticing smth. is wrong.
Of course if he uses pass manager with complex passwords...
iEchoic · 5h ago
Four times a day, I get an email notification that someone requested a password reset for my Microsoft account, which gives me a six-digit number to recover my account. So every day, an attacker has four shots in 1,000,000 of stealing my account by just guessing the number. They've been doing this for years.
If the attacker's doing this to thousands of accounts - which I'm sure they are - they're going to be stealing accounts for free just by guessing.
I wrote up a security report and submitted it and they said that I hadn't sufficiently mathematically demonstrated that this is a security vulnerability. So your only option is to get spammed and hope your account doesn't get stolen, I guess.
Lukas_Skywalker · 4h ago
I have added what I think they call login alias to my account. This blocks logins using the normal account username (which is my public email address), and only allows them via the alias (which is not public and just a random string). Not a single foreign login attempt since I enabled the alias.
You can enable it on account.microsoft.com > Account Info > Sign-in preferences > Add email > Add Alias and make it primary. Then click Change Sign-in Preferences, and only enable the alias.
Hnrobert42 · 2h ago
Then, is the login alias sort of a password? In that, it is something you know.
nomercy400 · 4h ago
I had to do this as well. My account got spammed daily in such a way I had to verify my account and change my password on every login.
With the alias I no longer have this issue.
ccppurcell · 1h ago
I get it too! I always assumed it was some hangover from that time I had to use crosses self Microsoft teams.
Randor · 2h ago
Microsoft allows you create a second "login only" account username to access your e-mail and other services. I was having the same problem as you but much worse. Check into it, only takes a few minutes to setup.
timdumol · 4h ago
Does adding MFA not protect you against this? If you are secured by a TOTP on top of your password, it should not matter if they manage to reset your password.
Huppie · 2h ago
Somewhat, but imho the Microsoft MFA is also full of similar flaws.
As an example: I've disabled the email and sms MFA methods because I have two hardware keys registered.
However, as soon as my account is added to an azure admin group (e.g. through PIM) an admin policy in azure forces those to 'enabled'.
It took me a long time debugging why the hell these methods got re-enabled every so often, it boils down to "because the azure admin controls for 'require MFA for admins' don't know about TOTP/U2F yet"
Imho it's maddening how bad it is.
klabb3 · 4h ago
The code length should ideally be adaptive and increase if this happens.
w3ll_w3ll_w3ll · 4h ago
Or you could enable MFA?
jiggawatts · 4h ago
I was authenticating a set of scripts five times for each run with MFA. Once, it asked me for six MFA prompts with no disambiguating info.
Did I click “Yes” to the attack the fifth time, or was the sixth the attack? Or was it just a “hiccup” in the system?
Do I cancel the migration job and start from the beginning or roll the dice?
It’s beyond idiotic asking a Yes/No question with zero context, but that was the default MFA setup for a few hundred million Microsoft 365 and Azure users for years.
“Peck at this button like a trained parrot! Do it! Now you are ‘secure’ according to our third party audit and we are no longer responsible for your inevitable hack!”
rsanheim · 3h ago
The worst part about this is it just further reinforces horrible habits and expectations.
Using a modern password manager, like 1password, is _easier_, safer, and faster than the stupid email-token flow. it takes a little bit of work and attention at first to setup across a couple devices, and verify it works.... but its really about the same amount of effort as keeping track of a set of keys for your house, car, and maybe a workplace.
If you make a copy of a door key when you move into a new place, you test the key before assuming it works. Same thing with a password manager. Save a password on your phone, test it on a different device, and verify the magic sync works. Same as a key copier or some new locks a locksmith may install.
Humans can do this. You don't need to understand crypto or 2fa, but you can click 'create new password' and let the app save some insanely secure password for a new site. Same with a passkey, assuming you don't save to your builtin device storage that has some horrible, hidden user interface around backing that up for when your phone dies.
And the irony is the old flow just works better! You let the password manager do the autofill, and it takes a second or two, assuming their is an email _and_ a password input. Passkeys can be even faster.
southp · 2h ago
I get the point. However, from my own experience this type of one-time passcode is unfortunately the 2nd well-understood authentication method for non-tech people surrounding me. The 1st is the password, of course.
I don't know the general situation, but, at least in our small town, people would go to the phone service shop just for account setup and recovery, since it's just too complicated. Password managers and passkeys don't make things simpler for them either –– I've never successfully conveyed the idea of a password manager to a non-tech person; the passkey is somehow even harder to explain. From my perspective it's both the mental model and the extra, convoluted UX that's very hard to grasp for them.
Until one day we come up with something intuitive for general audience, passwords and the "worse" one-time code will likely continue to be prominent for their simplicity.
dspillett · 2h ago
And even if proper passwords are used, many sites/apps use this pattern for account recovery if the password is forgotten so effectively this is the only security as an attacker has “forgotten” the password and just uses this flow to login.
I've got a little generic login tool that bits I write myself use for login, using this method, but it is not for anything sensitive or otherwise important (I just want to identify the user, myself or a friend, so correct preferences and other saved information can be applied to the right person, and the information is not easily scraped) - I call it ICGAFAS, the “I Couldn't Give A Factor” Auth System to make it obvious how properly secure it isn't trying to be!
Another issue that email based “authentication” like this (though one for the site/app admins more than the end user) has is the standard set of deliverability issues inherent with modern handling of SMTP mail. You end up having to use a 3rd party relay service to reduce the amount of time you spend fighting blocklists as your source address gets incorrectly ignored as a potential spam source.
What's quite annoying is how agressive most products are into forcing this method over regular email+pw / Social Logins. Let me use my 100 chars password!
pas · 4h ago
You are not the target audience, you are not even an outlier, it's probably time to accept this and look for long-term solutions that allow you to interface with the "mainstream".
sampullman · 4h ago
Many (most?) people I know in the "target audience" want to keep their email+password logins.
whyever · 5h ago
Such long passwords are silly, they will be effectively truncated by the key length of the underlying cryptography.
FabHK · 3h ago
Agreed. But since every character gives you around 6 bits (26*2 letters + 10 numbers + some special characters ≈ 64 = 2^6), you'd need 256/6 ≈ 43 characters to exhaust the checked entropy, so up to that level it makes sense.
If you use sentences instead of randomly generated characters, the entropy (in bits/character) is lower, so 100 characters might well make sense.
No comments yet
sweetjuly · 5h ago
Passwords are (or, rather, SHOULD be) cryptographically hashed rather than encrypted. It's possible to compute a hash over data which is longer than the hash input block size by feeding precious hashes and the next input block back in to progressively build up a hash of the entire data.
xx_ns · 4h ago
bcrypt, one of the more popular password hashing algorithms out there, allows the password to be up to 72 characters in length. Any characters beyond that 72 limit are ignored and the password is silently truncated (!!!). It's actually a good method of testing whether a site uses bcrypt or not. If you set a password longer than 72 characters, but can sign in using just the 72 characters of your password, they're in all likelihood using bcrypt.
integralid · 3h ago
Yeah, that's why bcrypt is broken and shouldn't be used today. It had a good run, but nowadays we have better options like scrypt or argon2.
daneel_w · 36m ago
It's not broken. It's just potentially less helpful when it comes to protecting poor guessable passwords. bcrypt isn't the problem, weak password policies/habits are. Like bcrypt, argon2 is just a bandaid, though a tiny bit thicker. Argon2 won't save you from absurdly short passwords or silly "correct horse battery staple" advice, and it's no better than bcrypt at protecting proper unguessable passwords.
Also, only developers who have no idea know what they're doing will feed plain-text passwords to their hasher. You should be peppering and pre-digesting the passwords, and at that point bcrypt's 72 character input limit doesn't matter.
whyever · 45m ago
Yes, in this case it would be easier to brute-force the key instead of the password, so the additional characters don't really help.
Angostura · 3h ago
I read this sentence 4 times and I still can't parse it:
> An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place.
antirez · 3h ago
Because the sentence makes no sense, but what the author wanted to say was:
- You are in front of the attacker site that looks like a legitimate site where you have an account (you arrived there in any way: Whatsapp link, SMS, email, whatever). Probably the address bar of your browser shows something like microsoft.minecraft-softwareupdate.com or something alike, but the random user can't tell it's fake. The page asks you to login (in order to steal your account).
- You enter the email address to login. They enter your email address in the legitimate site where you actually have an account.
- Legitimate site (for example Microsoft) sends you an email with a six digit code, you read the code, it looks legit (it is legit) and you enter it in the attacker site. They can now login with your account.
kenjackson · 1h ago
I read it as just some web page that was bad, but not necessarily imitating a good sits. For example some new gaming forum that pops up, which is bad, but uses the gaming forum to get people to send them six digit codes which they use for whatever sites they see fit. Then the people who run the gaming forum are now stealing your Etsy account.
trinix912 · 2h ago
I think one can also understand it as the attacker being the one to enter the email first.
> An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place.
Replace "can simply send your email address" with "can simply input your email address". An attacked inputs your email at login.example.com, which sends a code to your email. The attacker then prompts you for that code (ex. via a phishing sms), so you pass them the code that lets them into the account.
kazinator · 5h ago
I believe (and the article should make it clear) that the article is criticizing specifically the use of the code that user must enter into a box, which invites man-in-the-middle attacks.
The article is not advocating against e-mail-driven URL-based password reset/login, whereby the user doesn't enter any code, but must follow a URL.
The six digit code can be typed into a phony box put up by a malicious web site or application, which has inserted itself between the user and the legitimate site.
The malicious site presents phony UI promoting the user to initiate a coded login. Behind the scenes, the malicious site does that by contacting the genuine site, and provoking a coded login. The user goes to their inbox and copies the code to the malicious site's UI. The site then uses it to obtain a session with the genuine site, taking over the user's account.
A SSL protected URL cannot be so easily intercepted. The user clicks on it and it goes to the domain of the genuine site.
Nevor · 2h ago
There are some short comings about using email codes but I fail to see how this worse than passwords when the same exact kind of attack would work for passwords. The difference being that it would be worse with passwords which can be stored, reused later or sometimes changed directly on the service.
kevincox · 1h ago
My password manager will never fill my password into the wrong site. I would need to do so manually which sets of so many alarm bells in my head.
With email pasting the number into a random website is the expected flow and there is basically no protection (some phones have basic protections for SMS auth but even this only works if you are signing in on the same device).
hendry · 2h ago
I came to the comments to say this. Nevor and I are one.
Saris · 16m ago
I'd much rather have passkeys than the endless "email me a code" or "text me a code" crap we deal with today.
ameliaquining · 7h ago
So there are two complaints about this authn scheme that I'm seeing in this thread:
1. It's pretty phishable. I think this is mostly solved, or at least greatly mitigated, by using a Slack-style magic sign-in link instead of a code that you have the user manually enter into the trusted UI. A phisher would have to get the user to copy-paste the URL from the email into their UI, instead of clicking the link or copy-pasting it into the address bar. That's an unusual enough action that most users probably won't default to doing it (and you could improve this by not showing the URL in HTML email, instead having users click an image, but that might cause usability problems). It's not quite fully unphishable, but it seems about as close as you can get without completely hiding the authentication secret from the user, which is what passkeys, Yubikeys, etc., do. I'd love to see the future where passkeys are the only way to log into most websites, but I think websites are reluctant to go there as long as the ecosystem is relatively immature.
2. It's not true multi-factor authn because an attacker only needs to compromise one thing (your inbox) to hijack your account. I have two objections to this argument:
a. This is already the case as long as you have an email-based password reset flow, which most consumer-facing websites are unwilling to go without. (Password reset emails are a bit less vulnerable to phishing because a user who didn't request one is more likely to be suspicious when one shows up in their inbox, but see point 1.)
b. True multi-factor authn for ordinary consumer websites never really worked, and especially doesn't work in the age of password managers. As long as those exist, anyone who possesses and is logged into the user's phone or laptop (the usual prerequisites for a possession-based second factor) can also get their password. Most websites should not be in the business of trying to use knowledge-based authentication on their users, because they can't know whether the secret really came from the user's memory or was instead stored somewhere, the latter case is far more common in practice, and only in the former case is it truly knowledge-based. Websites should instead authenticate only the device, and delegate to the device's own authentication system (which includes physical possession and likely also a lock secret and/or biometric) the task of authenticating the user in a secure multi-factor way.
ajanuary · 5h ago
Two problems I’ve encountered with magic links:
* Mobile email clients that open links in an embedded browser. This confuses some people. From their perspective they never stay logged in, because every time they open their regular browser they don’t have a session (because it was created in the embedded browser) and have to request a login link again.
* Some people don’t have their email on the device they want to log in on.
Sending codes solves both of these problems (but then has the issues described in the article, and both share all the problems with sending emails)
sweetjuly · 5h ago
Magic links can be used to authorize the session rather than the device. That is, starting the sign in process on your laptop and clicking the link on your phone would authorize your laptop's sign in request rather than your phone's browser. It requires a bit more effort but it's not especially difficult to do.
johtso · 4h ago
Wouldn't that be incredibly insecure? Attacker would just need to initiate a login, and if the user happens to click the link they've just given the attacker access to their account..
The reason why magic links don't usually work across devices/browsers is to be sure that _whoever clicks the link_ is given access, and not necessarily whoever initiated the login process (who could be a bad actor)
dspillett · 1h ago
> Wouldn't that be incredibly insecure?
If done naively with a simple magic link, yes.
> and if the user happens to click the link they've just given the attacker access to their account
Worse: if the user's UA “clicks the link” by making the GET request to generate a preview. The user might not even have opened the message for this to happen.
> Wouldn't that be incredibly insecure?
It can be mitigated somewhat by making the magic link go to a page that invites the user to click something that sends a post request. In theory the preview loophole might come into play here if the UA tries to be really clever, but I doubt this will happen.
Another option is to give the user the option to transfer the session to the originating UA, or stay where they are, if you detect that a different UA is used to open the magic link, but you'd have to be carful wording this so as to not confuse many users.
xx_ns · 4h ago
And we get back to the original point of the article (sort of). Opening a magic link should authenticate the user who opened the magic link, not the attacker who made the application send the magic link.
KayEss · 3h ago
This is what makes securing this stuff so hard when you don't have proper review. What seems like a good idea from one perspective opens up another gaping hole somewhere else.
Off the cuff suggestions for improving UX in secure flows just make things worse.
geocar · 5h ago
> think this is mostly solved, or at least greatly mitigated, by using a Slack-style magic sign-in link instead of a code that you have the user manually enter into the trusted UI.
Magic links are better than codes, but they don't work well for cross-device sign-in. What Nintendo does is pretty great: If I buy something on my switch, it shows me a QR code I take a picture of with my phone and complete the purchase there.
I agree it is "mostly solved" in that there are good examples out there, but this is a long way from the solution being "best practices" that users can expect the website/company to take security seriously.
> a. This is already the case as long as you have an email-based password reset flow
I hard-disagree:
If I get an email saying "Hi you are resetting your password, follow these directions to continue" and I didn't try to reset my password I will ignore that email.
If I have to type in random numbers from my email every few days, I'm probably going to do that on autopilot.
These things are not the same.
> anyone who possesses and is logged into the user's phone or laptop (the usual prerequisites for a possession-based second factor) can also get their password.
I do not know what kind of mickey-mouse devices you are using, but this is just not true on any device in my house.
Accessing the saved-password list on my computer or phone requires an authentication step, even if I am logged-in.
I also require second-authentication for mail and a most other things (like banking, facebook, chats, etc) since I do like to let my friends just "use my phone" to change something on spotify or look up an address in maps.
> Most websites should not be in the business of trying to use knowledge-based authentication on their users, because they can't know whether the secret really came from the user's memory or was instead stored somewhere
They can't know that anyway, and pretending they do puts people at risk of sophisticated attackers (who can recover the passkey) and unsophisticated incompetence on behalf of the website (who just send reset links without checking).
> Websites should instead authenticate only the device, and delegate to the device's own authentication system
I disagree: Websites have no hope of authenticating the device and are foolishly naive to try.
NooneAtAll3 · 3h ago
> Websites should instead authenticate only the device
except I'm a user, not a device
>>I<< want to be authenticated, not my specific device that I'm going to switch at some point
funciton · 3h ago
You want to be authenticated specifically on the device that you're using to access the website. Not some arbitrary other device.
If you enter your username, password, and totp, and the website tells you you've logged in from some device halfway across the planet you've never heard of, you probably have a problem.
pas · 4h ago
offering TOTP MFA auth is important for people who actually keep at least some minimal boundary between their passwords and TOTP seeds.
djoldman · 33m ago
Relatedly with respect to passkeys, it seems we have the following tradeoff (simplified):
1. authentication via password: accounts stolen by criminals and then inaccessible to the user.
2. authentication via passkey: accounts lost by users because passkeys have friction, to say the least, when devices are lost/stolen/transferred.
It seems that big providers would much rather scenario 2.
IshKebab · 13m ago
Yeah probably because stolen accounts are more of a hassle for them than lost accounts.
StillBored · 3h ago
And there is _NOTHING_ worse than being locked out of an account because without asking they reverse the password and second factor authentication while your traveling and don't have access to a phone/etc.
Nevermind. that pretty much all services treat the second factor as more secure than my 20 character random password saved in a local password safe. And those second factors are, lets see, plain text over SMS, plain text over the internet to an email address, etc, etc, etc.
allears62 · 4h ago
My main frustration with this sort of system, beyond the security risks is the terrible UX of a system like Spotify.
I appreciate most people log in and stay logged in but I frequently switch Spotify accounts and I use passwords to log in, instead of letting me choose password or a 6 digit code, every time I try and change account a needless 6 digit code is generated and sent to a shared inbox, a huge waste of resources and storage. In addition to being a security concern as flagged throughout this thread.
pas · 4h ago
Spotify has terrible UX in general. You can't even copy the fucking track title.
Try multi-account containers so no need to log out? (Or Island on Android?)
grahameb · 2h ago
I recently set up passkey-only sign ins for a webapp I'm writing using Authentik [0](Python OIDC provider, with quite a nice docker-compose run-up, took only minutes to stand up.) It was surprisingly easy to configure everything so that passkeys are the only thing ever used.
If anyone would be interested I could write it up? I was surprised what a nice user flow it is and how easy it was to achieve.
so many of these Authentication providers have a hockey stick pricing scheme, where the first few users are near free and when you grow you are going to get mugged and kicked in the groin.
FabHK · 3h ago
One additional annoyance with this type of login:
With a username and password field, these are automatically correctly filled by Safari.
With sites that only offer an email field, I have to manually fill it.
(Note that I tend to use different emails for different sites; if you only ever use one email this might not be a problem).
varunramesh · 2h ago
As the author points out, email OTP can be phished if the user is tricked into sending their OTP to an attacker.
Email magic links are more phishing resistant - the email contains a link that authenticates the device where the link was clicked. To replicate the same attack, the user would have to send the entire link to the attacker, which is hopefully harder to socially engineer.
But magic links are annoying when I want to sign in from my desktop computer that doesn't have access to my email. In that case OTP is more convenient, since I can just read the code from my phone.
I think passkeys are a great option. I use a password manager for passkeys, but most people will use platform-provided keys that are stuck in one ecosystem (Google/Apple/MS). You probably need a way to register a new device, which brings you back again to email OTP or magic link (even if only as an account recovery option).
pandorobo · 8h ago
Very short, badly written article.
It can't even describe phishing correctly... At least label your threat model correctly.
While the premise is correct -- it's easy to complain but the author also provides zero recommendations on what is a better form of MFA.
donatj · 8h ago
You misread the short article.
It's about email as single factor auth, which has become very trendy of late. You just enter your email address, no password, and the email you a code. Access to your email is the only authentication.
M95D · 3h ago
But then, email always was the only authentication. On any site, click "forgot password" and promptly they send you a reset password link. Very few sites have a challenge question.
pandorobo · 8h ago
Clearly I didn't misread that. It's literally the very first bullet point?
Thorrez · 4h ago
The first bullet point is "Enter an email address or phone number".
That's not MFA. MFA stands for multi-factor authentication. If the authentication only requires a code sent to an email OR phone number, that's just a single factor.
Ferret7446 · 7h ago
> It's about email as single factor auth, which has become very trendy of late
I must be in the wrong bubble, I have not encountered any site that does this since the 2000s. It was a minor trend around then IIRC.
eddythompson80 · 6h ago
Anthropic is the main one. Its pushing a lot of others to do the same. I literally was arguing against that 2 weeks ago and the person who was pushing it said "Claude does that. Its really slick, no password to remember".
Patreon can do that too, depending on how you sign up.
moi2388 · 6h ago
It’s not slick at all. Passwords and MFA autofill, their image codes don’t, so I have to close the browser, go to email, copy code, delete email, go to browser, paste code just to login.
The entire email login flow is completely retarded. It’s not even secure.
vachina · 4h ago
It’s not just slick, it is “secure” on the get go by thwarting any password stuffing attempts (if your email is not pwned already)
baobun · 6h ago
I believe Slack popularized this back then and still do it.
gopkarthik · 4h ago
In India, almost all websites & apps, send a OTP to either mobile or email & ask you to enter that to login. Most of them have even disabled password based login flows. Really grinds my gears.
wvenable · 6h ago
Spotify just started doing this. I even have a password saved in my password manager but instead of asking me they just sent an email with a code.
daemin · 4h ago
Booking does it and it frustrates me to no end.
ErneX · 3h ago
Trip.com does this.
pandorobo · 8h ago
The first bullet point mentions phone number.
- Enter an email address or phone number
Thats not just email, that's also SMS.
eddythompson80 · 8h ago
Email OR SMS is still one factor. Its not multiple factors. How are you not getting that? Do you know what MFA means?
max__dev · 8h ago
Even if it was Email OR password, that would still be one factor due to the OR. I do not think they are discussing in good faith.
ipython · 8h ago
The first factor is access to your email. The second factor is…?
wodenokoto · 8h ago
The article is not about multiple factor authentication.
It’s about single factor, password logins, using a one-time-token
max__dev · 8h ago
The article is not about MFA. It is about using email as a single factor.
pandorobo · 8h ago
Thats simple a lie or you didn't read the article.
The very first bullet point states: Enter an email address or phone number
That insinuates email OR SMS.
It doesn't just mention email only.
max__dev · 8h ago
The following is copied from wikipedia.
The authentication factors of a multi-factor authentication scheme may include:
1. Something the user has: Any physical object in the possession of the user, such as a security token (USB stick), a bank card, a key, a phone that can be reached at a certain number, etc.
2. Something the user knows: Certain knowledge only known to the user, such as a password, PIN, PUK, etc.
3. Something the user is: Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
Email and phone are both in category one, comprising only one unique factor.
sophiebits · 8h ago
Half factor authentication, then, since either one will work.
stavros · 5h ago
It's still a single factor.
esjeon · 1h ago
The actual weak link here is not the procedure itself. It’s the fact that your email services will happily accept phishing mails into your inbox.
I’m pretty sure we can prevent this by issuing some kind of proof of agreement (with sender and recipient info) thru email services. Joining a service becomes submitting a proof to the service, and any attempt to contact the user from the service side must be sealed with the proof. Mix in some signing and HMAC this should be doable. I mean, IF we really want to extend the email standard.
charlesabarnes · 9h ago
Wholeheartedly agree, however The Changelog Podcast helped shift my perspective on this. It's really about not having the responsibility of storing and maintaining passwords.
AndroTux · 5h ago
You should never store passwords anyways. You store hashes. I don’t see the issue. If you don’t trust yourself to keep a hash, maybe don’t store user information at all.
benrutter · 5h ago
That's still not perfect though!
Most leaked passwords online come initially from leaked hashes, which bad actors use tools like hashcat to crack.
If your user has a password like "password123" and the hash gets out, then the password is effectively out too, since people can easily lookup the hash of previous cracked passwords like "password123".
This is how it should be done. But it still doesn't protect users fully, because attacker can try to brute-force passwords their interested in. It requires much more effort though.
incorrecthorse · 3h ago
And compute-intensive hash functions. Computers this day are powerful enough to hashcat each individual pwd+salt if a fast hashing function is used.
Macha · 5h ago
Salting already fixed this decades ago, and most modern password libraries will automatically generate and verify against a hash like <method>$salt$saltedhash if you use them instead of rolling your own.
daemin · 4h ago
So if they don't want to store your passwords because they do not want the responsibility of keeping it safe, should you trust your credit card and other personal information with them?
internetter · 5h ago
I feel like this is going to bite me in the ass 15 years from now but like bcrypt is really really hard to screw up
FabHK · 3h ago
Latacora, 2018: In order of preference, use scrypt, argon2, bcrypt, and then if nothing else is available PBKDF2.
So even 7 years ago bcrypt was only the 3rd recommended option.
augunrik · 8h ago
Kinda weird when they secure shop sites where you enter your payment information into.
IKEA does this, for example.
adastra22 · 4h ago
So? They don’t want to store my password, so instead they immensely weaken the security of my account?
This is not good for the user.
gregorvand · 4h ago
Services love it because it hands off the risk and responsibility to… Google/Gmail in most personal cases. This was why the pattern was adopted so quickly.
yafujifide · 2h ago
There is a way to fix this. Don't just require a 6 digit code. Require a 6 digit code and a long random string (an expiring token), which is only present on the page the user visited, or in the email they were sent.
wkat4242 · 3h ago
It's also a lot less convenient. Because I need to have access to my email, wait for the code, copy it etc. I hate companies that dump this extra work on me, like booking.com and all the AI companies.
Passkeys would be so much easier, convenient and so much more secure. I really don't understand why they go for this.
noduerme · 2h ago
I've conscientiously ignored every attempt by every service in the past decade to bully me into giving up a phone number for 2FA. Authenicator apps and passkeys, fine. But never over SMS.
arccy · 2h ago
SMS isn't just insecure, it's a pain when you're out of the country.
torium · 2h ago
You're gonna have to take my passwords from my cold dead hands.
f4c39012 · 6h ago
Some sites make this into a problem accessing their site by having an unsubscribe that doesn't account for this login method. Unsubscribing from marketing means I can no longer login
mnw21cam · 3h ago
Wow, that's some joined-up thinking.
mediumsmart · 1h ago
I think the registration pattern should be - user enters email to register. email is sent to that email with a link to verify. user clicks link. user gets email with username and password to login in to the profile created for them.
addandsubtract · 1h ago
This reveals the user's password (even if temporary) in plain text in an unencrypted email. Basically the last thing you want.
A better workflow is to send the user a link where they can set their initial password themselves.
harha · 1h ago
Also super annoying if you haven’t set up email on a device (like my iPad), now I have back and forth with my phone instead of going through my password manager.
rcarmo · 5h ago
Anthropic/Claude does this and it is a shame. They have the ability to code proper Authenticator and yet don’t.
0xd3af · 3h ago
[insert joke about vibe coding a shit auth service]
serpix · 1h ago
hilariously that is just what I tried to do the other day and oh boy are we safe from AI taking over just yet.
wodenokoto · 9h ago
Lot's of services realized that users would use the reset password form for login.
6510 · 8h ago
To state the obvious, there the code is part of the url they have to visit.
amelius · 1h ago
This is one of those problems for which a simple solution must exist, but which never gets solved.
Just like sending large files over the internet.
giantfrog · 8h ago
Still seems far, far more likely that the average user will have their account stolen via password theft/reuse than the more complicated scheme the author is describing. Links instead of codes also fixes the issue.
esseph · 8h ago
Links are not trustworthy and can leak to compromise.
malfist · 9h ago
Whole heartedly agree. It's not more secure if you only use the second factor of two factor auth.
LoganDark · 9h ago
Codes that are provided on demand by a service will always be far less secure than proper TOTP. Because in the case of proper TOTP, no secret ever leaves the service after initial configuration, but in the case of discount 2FA through email or especially SMS, a fresh secret has to be delivered to me each time, where it can easily be intercepted by all manner of attacks.
malfist · 26m ago
Absolutely, a shocking about if email traffic is still unencrypted. Any hop along the SMTP way could be compromised
amelius · 2h ago
Also the 6-digit codes tend to appear on the lock screen of my phone, which means anybody can see them. I can turn that off, I know, but many people will not.
Stratoscope · 2h ago
I can't be the only person here who is familiar with the word "attestation" in everyday life but had no idea what it means in the context of login security.
So I asked my friend Miss Chatty [1] about it. Hopefully this will help anyone who is as confused as I was.
[1] Siri and Alexa get to have cool names, so why can't ChatGPT?
eviks · 6h ago
Indeed, such a bad design where instead of a simple and quick 1-shortcut login from a fishing-resistant password manager users have to waste time switching back and forth between different apps/devices
ripped_britches · 9h ago
They aren’t ideal but are they actually worse than passwords? I’d bet that on net, more compromises happen with previously-leaked passwords
deathanatos · 8h ago
I haven't actually seen these being used as passwords like TFA states; they're usually a form of 2FA.
If they actually are passwords, yes, my password manager is a better UX than having to fetch my phone, open SMS, wait for the SMS, like good grief it's all so slow.
(In the 2FA form, I'd prefer TOTP over SMS-OTP, but the difference is less there.)
Symbiote · 5h ago
The largest site where I've seen this flow (username + email) is hotels.com.
whatevaa · 5h ago
Most people don't use a password manager. They just have shit passwords.
ali-aljufairi · 46m ago
I agree thank you
doe88 · 5h ago
Some days when I'm tired of receiving a new authentication code, I'm half-jokingly thinking : we're certainly must reaching a point where at least half of all SMS messages sent are authentication codes (with a small payload, for now).
mahirsaid · 5h ago
This has been driving me nuts. Ever since implementation. This method has been the biggest disappointment of login procedures and quickness. I dont want to go through, three to five steps just to login and in the meantime I forget what I came to the service for in the first place. There's gotta be a better method for security and streamlining sign in's. I should not have to do the work of security for the service and every other week I hear about the same service being hacked and millions of accounts are now affected.
OtomotO · 5h ago
All the talk about passkeys boils down to:
A passphrase is basically like a password in the sense that I can lose it, but it's not like a password in the sense that I can actually memorise it. (Or rather, all of them)
I prefer my passwordstore workflow.
I remember two passwords, the rest is kept save for me and unlocked when I need them.
It's not perfect, but it's by far the least worse solution of them all.
hooverd · 9h ago
I thought this was going to be about Passkeys. Maybe if the FIDO Alliance can stop being obstinant and allow real backups, I'd be all in on them.
eddythompson80 · 8h ago
What do you mean by real backups? What's stopping you from backing up your keys? Its up to the passkey "provider" to allow passkeys backup/sync.
politelemon · 6h ago
Not really, they have no incentive to provide such a thing nor is it mandatory for them to do so.
stavros · 5h ago
Are you saying password managers don't have an incentive to provide a feature users want? That describes literally their entire featureset.
Wowfunhappy · 8h ago
But if you could back up a passkey, wouldn't the key just be a password?
(I do agree with you about backups being essential, but my conclusion was "the idea is fundamentally flawed," rather than "it's one tweak away from greatness.")
harg · 3h ago
No, because unlike a password you never provide the private key for a passkey to the site you’re logging into, which is how many password breaches occur.
burnt-resistor · 5h ago
This is the irreducible problem. It's the Emperor's New Clothes™. So either the secrets get generated and stored in tamper-protected hardware, or they are stored somewhere else that can be made portable. For the latter, then they ought to be serializable into some standard form.
burnt-resistor · 5h ago
Same. Sacrificing security by selling superficial convenience and limited security advantages for crucial inconveniences.
Perhaps there ought to be a well-known, "ACME" password-changing API such that a password manager could hypothetically change every password for every service contained in an automated fashion.
AgentME · 8h ago
Passkeys on cryptocurrency wallets such as the Trezor and Ledger are tied to the device's seed phrase and can be backed up.
baobun · 6h ago
Did you try that? I can't find any confirmation on if it's actually working for classical keys but it's for sure not supported for resident keys on Ledger.
Even with backups, the attestation issue makes them awful.
anonymars · 9h ago
I'm not familiar with this issue and a quick search didn't turn up anything obvious. Would you mind elaborating?
Arrowmaster · 8h ago
They are referring to the ability of a site you are logging into forcing you to use a client from a specific list or having a list of clients to deny.
It's copied over from FIDO hardware keys where each device type needed to be identifiable so higher tier ones could be required or unsecured development versions could be blocked.
jjani · 8h ago
This is what I was referring to, and we already have seen this happen in the wild with PayPal at one point (possibly still) blocking passkeys from e.g. Firefox. For now the argument against this seems to be that "Apple zeroes this out so service providers can't do it without risking issues for their many users who use Apple to store their keys", but clearly this is so precarious of a situation it may as well not be a thing. You can't depend on one trillion-dollar company not changing their minds on that tomorrow.
pandorobo · 8h ago
Specifically they are referring to synced passkeys (passkeys generated by services like Google password manager/1Password/Apple and are linked to that account).
Because these passkeys are stored in the Cloud and synced to your providers account (i.e. Google/Apple/1Password etc), they can't support attestation. It leads to a scenario where Relying Parties (the apps consuming the passkey), cannot react to incidents in passkey providers.
For example: If tomorrow, 1Password was breached and all their cloud-stored passkeys were leaked, RP's have no way to identify and revoke the passkeys associated with that leak. Additionally, if a passkey provider turns out to be malicious, there is no way to block them.
UltraSane · 9h ago
Why?
cyberax · 7h ago
Erm... Passkeys _are_ backupable/syncable WebAuthn keys. You can get the clear-text Passkey private keys by just looking into your storage (Keychain on iOS).
What's missing is a standardized format for the export.
AtNightWeCode · 3h ago
I would have agreed to this if it weren’t for the fact that, for various reasons, you occasionally need to copy and paste passwords manually from password managers. This phishing scenario is no worse.
yieldcrv · 8h ago
I like passkeys on the Apple ecosystem
moomoo11 · 8h ago
Passwordless is fine.
Let’s be honest all forms of auth suck and have pros and cons.
The real solution is detect weird logins because users cannot be trusted. That’s why we build for them!
6510 · 8h ago
MS can also call you, then you only have to press # to log in. Makes it even easier for a spoof website.
totallykvothe · 9h ago
I'm having difficulty understanding what it means for an attacker to "send your email to a legitimate service"...
tczMUFlmoNk · 9h ago
I think this means:
1. You go to evil.example.com, which uses this flow.
2. It prompts you to enter your email. You do so, and you receive a code.
3. You enter the code at evil.example.com.
4. But actually what the evil backend did was automated a login attempt to, like, Shopify or some other site that also uses this pattern. You entered their code on evil.example.com. Now the evil backend has authenticated to Shopify or whatever as you.
bscphil · 5h ago
The site is comparing this method to plain username + password though. Doesn't that miss the obvious point that evil.example.com could do the exact same thing with the username + password method, except it's even easier to phish because they just get your username + password directly (when you type them in) and then an attacker can log in as you via a real browser?
druskacik · 3h ago
evil.example.com can be a legitimate-looking website (e.g. a new tool a person might want to try). If it has a login with email code, it can try to get the code from a different website (e.g. aforementioned Shopify).
For the username + password hack to work, the evil.example.com would have to look like Shopify, which is definitely more suspicious than if it's just a random legitimate-looking website.
anonymars · 9h ago
I assume it's a phishing scenario, given the note about password managers. Evil site spoofs the login page, and when you attempt to log in to the malicious site, it triggers an attempt from the real site, which will duly pass you a code, which you unwittingly put into the malicious site
LoganDark · 9h ago
TOTP is vulnerable to the same attack, though. If you are fooled into providing the code, it doesn't matter whether it's a fresh one to your email or a fresh one from your authenticator.
eddythompson80 · 8h ago
They are, which is one major issue with TOTP and most current MFA methods. There is an implicit assumption that you only get the full benefit if your usi g a password manager.
1. A password manager shouldn't be vulnerable to putting your password in a phishing site.
2. If your password is leaked, an attacker can't use it without the TOTP.
Someone who doesn't use a password manager won't get the benefits of #1, so they can be phished even with a TOTP. But they will get the benefits of #2 (a leaked password isn't enough)
Passkeys assume/require the use of a password manager (called a "passkey provider")
tombds · 9h ago
Man in the middle attack basically.
bobmcnamara · 9h ago
Confused deputy is you?
RamRodification · 5h ago
It's a constant small annoyance in my life that "email" can mean either
* Electronic mail (the technology)
* An email message
* An email address
* An email inbox
In this example they mean email address.
gethly · 6h ago
It means that you go to foo.com and enter your e-mail to sign up. But foo.com routes that request and to bank.com, hoping you have an account there.
bank.com sends you verification email, which you expect from foo.com as part of the sign-up verification process. For some bat shit crazy reason, you ignore that the email came from bank.com and not foo.com and you type in the secret code from the email into the foo.com to complete the sign up process.
And bam! the foo.com got into your bank account.
A complete nonsense but because it works in 0.000000000000001% of the time for some crazy niche cases in the real world, let's talk about it.
ascorbic · 6h ago
The evil site usually says something like "enter the code from our identity partner x" or something, which is a lot more believable when it's a service like Microsoft that does provide services like that.
bibelo · 5h ago
I'm technical and I didn't understand this article.
ManlyBread · 4h ago
I think this is the shortest "article" I've ever seen on this site. It's like linking to a tweet. How does this garbage gets upvoted to the first page?
procaryote · 4h ago
It's correct and to the point. What are you missing?
ManlyBread · 52m ago
The author couldn't even be bothered to write about the supposed examples of these practices being wrong. The whole thing lacks detail and actual arguments, instead we get "please stop" like it's some sort of a reddit or twitter shitpost.
Look at this - https://news.ycombinator.com/item?id=44822267 - is this what this site is supposed to be now? Writing the article in the place of the author because the author couldn't be bothered to even form their own argument correctly? What the fuck?
The fact that this has been upvoted so high and allowed to stay on the front page is also a clear signal to others that this low-effort garbage is welcome here, which will only encourage others to post similarly worthless blogposts, lowering the overall quality of this site.
There are multiple comments in this very thread that are longer than this "article". My own comment is longer!
1) User goes to BAD website and signs up.
2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”
3) BAD’s bots start a “Sign in with email one-time code” flow on the GOOD website using the user’s email.
4) GOOD sends a one-time login code email to the user’s email address.
5) The user is very likely to trust this email, because it’s from GOOD, and why would GOOD send it if it’s not a proper login?
6) User enters code into BAD’s website.
7) BAD uses code to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.
This is why “email me a one-time code” is one of the worst authentication flows for phishing. It’s just so hard to stop users from making this mistake.
“Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious. However, if some popular email service suddenly decides your login emails or the login link within should be blocked, then suddenly many of your users cannot login.
Passkeys is the way to go. Password manager support for passkeys is getting really good. And I assure you, all passkeys being lost when a user loses their phone is far, far better than what’s been happening with passwords. I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
I always reject attestation requests and I don't recall ever having been refused, so if this was a real problem it seems like I ought to have noticed by now.
The protocol normally allows you to omit the attestation, but they worked around an extra call after a successful registration flow that sends you to an error page if your FIDO2 passkey isn't from one of these large approved vendors: https://learn.microsoft.com/en-us/entra/identity/authenticat...
I found out by trying to prototype my own FIDO2 passkey, and losing my mind trying to understand why successful flow that worked fine on other websites failed with Microsoft. It turns out, you are not allowed to do that.
I do remember explicitly telling them (because of course having agreed to do this they have no idea how and need our instructions) not to enable attestation because it's a bad idea, but you seem to be saying that it'll somehow be demanded (and then ignored) anyway and that was not my experience.
So, I guess what I'm saying here is: Are you really sure it's demanded and then ignored if you turn it off from the administrative controls? Because that was not my impression.
B2C I would expect more latitude on requiring attestation.
I understand the value of attestations in a corporate environment when you want to lock down your employees' devices. But that could simply have been handled through a separate standard for that use case.
https://github.com/keepassxreboot/keepassxc/issues/10407
> To be very honest here, you risk having KeePassXC blocked by relying parties
But having a choice about how you store your credentials shouldn't depend on the good faith of service providers or the spec authors who are doing their bidding anyway. It's a bit similar to sideloading apps, and it should probably be treated similarly (ie, make it a right for users).
People forget that one of the purposes of authentication is to protect both the end user and the service operator.
We have already been through this with many services suddenly demanding that you give them your phone number "for security".
Austria's governmental ID is linked to 5 approved tokens only.
This is far from very obvious, especially given that Apple have gone out of their way to not provide attestation data for keychain passkeys. Any service requiring attestation for passkeys will effectively lock out every iPhone user - not going to happen.
Every time I’ve seen them actually attack user freedom, there was an embarrassingly obvious business angle. Like Chrome’s browser attestation that was definitely not to prevent Adblock, no sir.
But I fear it's worse. Based on how past open standards played out, I find it believable they do care - that there won't be an open ecosystem of password managers.
> But they’ve shown no evidence of hating user freedom on principle.
Yes, they did, just see Microsoft's crusade against Linux and the origin of the "embrace-extend-extinguish" term.
I agree, why would BigTech care about those dozens of users. Screw those guys, they can use our password manager or they can get lost, we don't need them!
Because big tech loves control. Just because you can't see the angle yet, it doesn't mean there isn't one now, or won't be one later. It has been shown time and time again that they will take all the freedom away from you that they can.
Bots using a custom password manager to share logins.
Now the Yubikey is just an API you can call, websites cannot tell the difference. You can't export keys, but a bot can add new keys after using existing keys to log in.
I set up a passkey for github at some point, and apparently saved it in Chrome. When I try to "use passkey for auth" with github, I get a popup from Chrome asking me to enter my google password manager's pin. I don't know what that pin is. I have no way of resetting that pin - there's nothing about the pin in my google profile, password manager page, security settings, etc.
The way to go is an encrypted password manager + strong unique random passwords + TOTP 2FA. It's human-readable. Yes, that makes it susceptible to phishing, but it also provides very critical UX that makes it universal and simple.
Especially since Google doesn’t allow you to change your personal default which is what convinced me to go and switch all my accounts off of Google SSO
On my Windows laptop that is Windows Hello PIN, not sure about other OSs. And it can be disabled.
The problem is that I can physically show up at my local bank branch or at my job's IT helpdesk to get my account back, but I can't show up at the Googleplex or at Facebook's or Xitter's HQ and do the same. Device bound passkeys are very error prone for the latter scenario, since users will fail to account for that case.
I wish there was a stronger differentiation between syncable and device-bound passkeys. It seems like we're now using the same word for two approaches which are very different when it comes to security and user-friendliness.
And yes, giving granny unsyncable passkeys is a really bad idea, for so many reasons.
But there is no difference. I'd prefer if services just let me generate a passkey and leave it entirely up to me how I manage it. Whoever setup granny's device should have done so with a cloud based manager.
I think Google tries to make some confused distinction, or maybe that has more to do with FIDO U2F vs FIDO2. There you can add either a "passkey" or a "security key", but iirc I added my passkey on my security key so... yeah
No, at least not on its own. Let's not repeat the mistakes.
Password managers are the way to go and ONLY FOR RARE EXCEPTIONS we should use dedicated MFA, such as for email-accounts and financial stuff. And the MFA should ask you to set up at least 3 factors and ask you to use 2 or more. And if it doesn't support more or less all factors like printed codes, OS-independent authenticator apps and hardware keys like yubikey, then it should not be used.
Such as finding a dinosaur fossil of your families name clan.
Bitwarden the password manager includes a full passkey implementation, which doesn't involve any MFA.
No: - I can always export and import all my passwords from/into my password manager - My passwords always work independently of a password manager or any specific app/OS/hardware
That is not true for passkeys and makes them much more like tokens. Of course they don't have to be used in MFA, just like passwords.
Passkeys is an interface between your password manager and a website without all the fluff with filling or copy-pasting passwords.
I don't love them. I don't love passwords either.
But while I don't fear passwords, I fear passkeys. The reason is that it makes the tech even more intransparent. My password manager stops working, completely dies or I can't use it anymore for other reason? No problem, I can fallback to a paper list of passwords if I really have to. This transparency and compatibility is more important than people think.
Passkeys lack that. They can be an interface like you described, but only if everyone plays along and they can be exported. But since there is no guarantee (and in practice, they often cannot be exported either) they are not a replacement for passwords. They are a good addition though.
Unfortunately, many people don't understand that and push for passwords to begone.
It's literally something like
stored in the password manager.- open website
- if not already logged in, log in to 1Password
- autofill password
- autofill TOTP
Now:
- open website
- if logged in to 1Password the Use Passkey usually shows up
- if not:
Passkeys would be great if they actually made anything simpler on a computer. They work fine on the phone but that’s not where I spend most of my time.Now that I’m so paranoid about this, and not remembering which sites I have them for, I always dismiss the passkey prompt, then have to click several more times to get to the password login and fill it in with my password manager.
Apple Passwords now sufficiently good to replace 1Password for me and I’m slowly transitioning.
I don’t mind subscription models per se but there was something about subscription for your own passwords that made me refuse to jump the fence when 1Password switched to that model.
Would be a bit faffy if you’re a Chrome user.
I also have a bunch of stuff in 1Password that doesn’t have a home in Apple Passwords, which would be a problem.
And yes, Chrome with Apple Passwords is annoying. At work I’m forced to use Chrome for some things, and I’ve been dabbling with Apple Passwords. Every time I launch the browser I have to put in a code to link the extension with Passwords. It’s very annoying.
"Click a link in the email" is really bad because it's very difficult to know the mail and the link in it are legitimate. Trusting links in emails opens to door to phishing attacks.
The company doesn't care either because fraud is just the cost of doing business- ease of ordering> security.
Visiting the bank is fine. But who do you visit to recover your Gmail password?
It can take months and it only guarantees a backup, not full access, but it's better than nothing.
For a lot of people, dealing with (now mostly digital) bureaucracies is a major stress in life. The biggest one, for some.
Its not just about invonvenience. Its sometimes about losing access to some, and just not having it for a while.
In terms of practical effect, a performance metric for a login system could be "% of users that have access at a given point." There can be a real tradeoff, irl, between legitimate access and security.
On the vendor side.. the one time passwords fallback has become a primary login method for some. Especially government websites.
Customer support is costly and limited in capacity. We are just worse at this than we used to be.
Digital identity is turning out to be a generational problem.
I am waiting for the era when using passkeys is not depending from some big tech company.
Point is, the damage will be likely local to a single or a handful of accounts.
If all the accounts are protected by two factor on my phone and I lose it or it bricks, then I'm done. It will be a total mess with no paths to recover, except restarting literally everything from scratch.
I have Google Auth app on my phone and every few months I consider using it, but then reconsider and stay with passwords.
But granny can't go to a bank because they closed down most of their offices. Since 99% of what you need a bank for can be done using their app it no longer made financial sense to have a physical presence in most smaller towns and villages.
Lots of elderly were complaining about this when it happened because they were too lazy to learn how to use the bank apps. Hell, they already started complaining when you could no longer withdraw money at the desk even before they closed down the offices. Apparently even learning to use something as simple as an ATM was too much effort for them.
I still don’t really understand what recovery looks like for a lost passkey… especially if I lose all of them. Not everything has a physical location where an identity can be validated, like a bank. Even my primary bank isn’t local. I’d have to drive about 6 hours to get to a branch office.
To avoid getting locked out you could add 2-3 passkeys from different providers to each account. And/or use a passkey provider that allows backups, and back up your keys. But I doubt many people will have the discipline to do either of that.
Btw this predates passkeys which should perhaps be the way to go from now on.
> Website: is this Jimbob' phone
> Hardware: yes
And
> Website: I'll give you a dollar if you tell me something juicy about this user
> Hardware: Give this token to Microsoft and ask them
> Microsoft: Jimbob is most likely to click ads involving fancy cheeses, is sympathetic to LGBTQ causes, and attended a protest last week
With passwords and TOTP codes, I am in control of what information is exchanged. Passkeys create a channel that I can't control and which will be used against me.
(I chose Microsoft here because in a few months they're using the windows 10->11 transition to force people into hardware that locks the user out of this conversation, though surely others will also be using passkeys for similarly shady things).
1) User goes to BAD website.
2) BAD website says “Please enter your email and password”.
3) BAD’s bots start a “Log in with email and password” on the GOOD website using the user’s email and password.
4) BAD now has full access to the user’s GOOD account.
A clickable link sent in email mostly works too, it ensures that the user arrives at GOOD.COM. (If BAD sends an email too, then there is a race condition, but it is very visible to the user.)
Pin code sent in email is not very good when the user tries to log in to BAD.COM.
In the OP's example, the user is logging in to BAD.com intentionally, but his GOOD.com account is still hacked into.
This is a lot harder for the user to catch on to.
There are lots of attack patterns. That is one. I am not certain I believe it is very likely, because (a) I think "sign-in partner" is obvious bullshit, and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but...
> Passkeys is the way to go. ... I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
... I do not agree your story is justification for passkeys, or for letting banks trust passkeys for authentication purposes. I'd rather she not lose access to banking services in the first place: I don't think banks should be allowed to do that, and I do not think it should be possible for someone to "steal all her money" so quickly -- Right now you should have at least several days to fix such a thing with no serious inconvenience beyond a few hours on the phone. I think it is important to keep that, and for banking consumers to demand that from their bank.
A "granny" friend of mine got beekeeper'd last year[1] and her bank reversed/cancelled the transfers when she was able to call the next say and I (local techdude) helped backup/restore her laptop. I do not think passkeys would helped and perhaps made things much worse.
But I don't just disagree with the idea that passkeys are useful, or even the premise of a decision here between losing all their money and choosing passkeys, I also disagree with your priors: Having to visit a bank branch is a huge inconvenience for me because I have to fly to my nearest. I don't know how many people around here keep the kind of cash they would need on-hand if they suddenly lost access to banking services and needed to fly to recover them.
I think passkeys are largely security-theatre and should not be adopted simply if only so it will be harder for banks to convince people that someone should be able to steal all their money/access with the passkey. This is just nonsense.
[1]: seriously: fake antivirus software invoice and everything, and her and her kid who is my age just saw the movie in theatres in like the previous week. bananas.
It's looks almost the same as the log-in-with-big-tech flow that users are already used to.
> and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but...
You enter it on the website you are trying to log into and where you initiated the action, which in this scenario is the BAD website.
You and I think they are bullshit, but ... the problem is that bullshit is sometimes genuine.
I have got tired of how many times in recent years I have seen things that looked like phishing or had obvious UX-security flaws and reported them only to have got a reply from customer service that the emails and sites were genuine and that they have no intention of improving.
If janky patterns is the norm, then regular users will not be able to recognise the good-but-janky from the scams.
Now replace email a with text message sent from a short-code.
Nearly every website tries to offer Google or Microsoft based sign in, "sign in partners" are commonplace.
Then the banks wanted you to use the dongle to verify yourself on phone and it all went downhill from there.
That's what phishing is predicated on, and it seems to be successful enough.
No, please, not as long as attestation is in the spec. I firmly believe that passkeys are intended to facilitate vendor lock-in and reduce the autonomy of end users.
Frankly, I do not trust any passkey implementation as much as I trust a GPG-encrypted text file.
A bad practice is the shorten the code validity to a few minutes. This cannot really be justified and puts users under stress, which lessens security.
The discussion around passkeys, who is and isn't allowed to store them, almost killed them for me personally. I use them for very, very few services and I don't want to extend it.
No comments yet
My problem with passkeys is that there is no hardware attestation like there is with Yubikeys and similar.
This means for security conscious applications you have no way of knowing if the passkey you are dealing with is from an emulator or the real-deal.
Meanwhile with Yubikeys & Co you have that. And it means that, for example people like Microsoft can (and do) offer you the option to protect your cloudy stuff with AAGUID filtering.
And similar if you're doing PIV e.g. as a basis for SSH keys, you can attest the PIV key was generated on the Yubikey.
You can't do any of that with passkeys.
They’re too opaque for my taste and I don’t like them.
This point means the user is not paying attention: 1) User goes to BAD website and signs up. Steps 2-7 wouldn't be possible without 1.
I'd imagine a convincing enough modal would do the trick though, in a lot of cases.
if the BAD site itself looks legit, and has convinced a user to do the initial login in the first place, they won't hesitate to lie and say that this 2-factor code is part of their partnership with google etc, and tells you to trust it.
A normal user doesn't understand what is a 2factor code, how it works, and such. They will easily trust the phisher's site, if the phisher first breaks the user and set them up to trust the site in the beginning.
What google does is to send a notification to the user's phone telling them someone tried to access their account if this happened (or any new login to any new device you previously haven't done so on). It's a warning that require some attention, and depending on your state of mind and alertness, you might not suspect that your account is stolen even with this warning. But it is better than nothing, as the location of the login is shown to you, which should be _your own location_ (and not some weird place like cypress!).
Isn't this the same thing as BAD asking, let us know the code i.e. password that GOOD gave you? Why would one be inclined to give BAD (i.e. someone else) this info?
You get an email, providing you with a phishing link for miсrosoft.com (where the apparent c is actually the cyrillic "s", so BAD). In the background, they initiate a login to microsoft.com (GOOD), who then send you a 6 digit code from the actual microsoft.com. If you were fooled by the original phishing website, you have no reason to doubt the code or not enter it.
> 2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”
Does that mean that GOOD must be a 3rd party identity provider like Facebook, Apple, Google etc?
When you insert the login code on BAD, BAD uses it to finish the login process on GOOD that they started “on your behalf”.
1. you got login credentials at GOOD
2. you're using the same email address there
They then tell you GOOD will send you a code that you have to enter on their website.
Then they enter your Email on GOOD and request a reset, which sends a mail with a code to you.
You then enter the code on their website.
Now that they have the code they can enter it on GOOD and they have your account.
To be fair, can we blame them? There are so many legitimate flows that redirect like it’s a sport. Especially in payments & authn, which is where it’s most important. Just random domains and ping pong between different partner systems.
And how do you access your password manager when your computer is locked ?
The prompts that show where the login is coming from are useless, too, because mapping from IP addresses to geographical locations is far from perfect. For example, my legit login attempts showed me all over my country map. If I’m in a corporate VPN already, its exit nodes may also be all over the map, and your legitimate login from, say, Germany may present itself as coming from Cyprus, which is shady as fuck.
If I seek to implement 2fa for my own service and have it be not theater and resistant to such phishing attacks, it gets difficult real fast.
Edit: See first reply, this is not a mitigation at all!
The problem being exploited by BAD is that your login account identifier (email in this case) is used in both GOOD (and BAD - accidentally or deliberately orchestrated), and 2-factor does not prevent this type of phishing.
Peope do read, if the email is short
1) User goes to BAD website and signs up (with their user and password). BAD website captures the user and password
2) BAD website shows a fake authentication error, and redirects to GOOD website. Users is not very likely to notice.
3) BAD uses user and password to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.
OK, with a password manager the user is more likely to notice they are in BAD website. Is that the advantage?
Passkeys are stronger here because you can’t copy and paste a passkey into a bad website.
If the attacker's doing this to thousands of accounts - which I'm sure they are - they're going to be stealing accounts for free just by guessing.
I wrote up a security report and submitted it and they said that I hadn't sufficiently mathematically demonstrated that this is a security vulnerability. So your only option is to get spammed and hope your account doesn't get stolen, I guess.
You can enable it on account.microsoft.com > Account Info > Sign-in preferences > Add email > Add Alias and make it primary. Then click Change Sign-in Preferences, and only enable the alias.
With the alias I no longer have this issue.
As an example: I've disabled the email and sms MFA methods because I have two hardware keys registered.
However, as soon as my account is added to an azure admin group (e.g. through PIM) an admin policy in azure forces those to 'enabled'.
It took me a long time debugging why the hell these methods got re-enabled every so often, it boils down to "because the azure admin controls for 'require MFA for admins' don't know about TOTP/U2F yet"
Imho it's maddening how bad it is.
Did I click “Yes” to the attack the fifth time, or was the sixth the attack? Or was it just a “hiccup” in the system?
Do I cancel the migration job and start from the beginning or roll the dice?
It’s beyond idiotic asking a Yes/No question with zero context, but that was the default MFA setup for a few hundred million Microsoft 365 and Azure users for years.
“Peck at this button like a trained parrot! Do it! Now you are ‘secure’ according to our third party audit and we are no longer responsible for your inevitable hack!”
Using a modern password manager, like 1password, is _easier_, safer, and faster than the stupid email-token flow. it takes a little bit of work and attention at first to setup across a couple devices, and verify it works.... but its really about the same amount of effort as keeping track of a set of keys for your house, car, and maybe a workplace.
If you make a copy of a door key when you move into a new place, you test the key before assuming it works. Same thing with a password manager. Save a password on your phone, test it on a different device, and verify the magic sync works. Same as a key copier or some new locks a locksmith may install.
Humans can do this. You don't need to understand crypto or 2fa, but you can click 'create new password' and let the app save some insanely secure password for a new site. Same with a passkey, assuming you don't save to your builtin device storage that has some horrible, hidden user interface around backing that up for when your phone dies.
And the irony is the old flow just works better! You let the password manager do the autofill, and it takes a second or two, assuming their is an email _and_ a password input. Passkeys can be even faster.
I don't know the general situation, but, at least in our small town, people would go to the phone service shop just for account setup and recovery, since it's just too complicated. Password managers and passkeys don't make things simpler for them either –– I've never successfully conveyed the idea of a password manager to a non-tech person; the passkey is somehow even harder to explain. From my perspective it's both the mental model and the extra, convoluted UX that's very hard to grasp for them.
Until one day we come up with something intuitive for general audience, passwords and the "worse" one-time code will likely continue to be prominent for their simplicity.
I've got a little generic login tool that bits I write myself use for login, using this method, but it is not for anything sensitive or otherwise important (I just want to identify the user, myself or a friend, so correct preferences and other saved information can be applied to the right person, and the information is not easily scraped) - I call it ICGAFAS, the “I Couldn't Give A Factor” Auth System to make it obvious how properly secure it isn't trying to be!
Another issue that email based “authentication” like this (though one for the site/app admins more than the end user) has is the standard set of deliverability issues inherent with modern handling of SMTP mail. You end up having to use a 3rd party relay service to reduce the amount of time you spend fighting blocklists as your source address gets incorrectly ignored as a potential spam source.
If you use sentences instead of randomly generated characters, the entropy (in bits/character) is lower, so 100 characters might well make sense.
No comments yet
Also, only developers who have no idea know what they're doing will feed plain-text passwords to their hasher. You should be peppering and pre-digesting the passwords, and at that point bcrypt's 72 character input limit doesn't matter.
> An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place.
- You are in front of the attacker site that looks like a legitimate site where you have an account (you arrived there in any way: Whatsapp link, SMS, email, whatever). Probably the address bar of your browser shows something like microsoft.minecraft-softwareupdate.com or something alike, but the random user can't tell it's fake. The page asks you to login (in order to steal your account).
- You enter the email address to login. They enter your email address in the legitimate site where you actually have an account.
- Legitimate site (for example Microsoft) sends you an email with a six digit code, you read the code, it looks legit (it is legit) and you enter it in the attacker site. They can now login with your account.
> An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place.
Replace "can simply send your email address" with "can simply input your email address". An attacked inputs your email at login.example.com, which sends a code to your email. The attacker then prompts you for that code (ex. via a phishing sms), so you pass them the code that lets them into the account.
The article is not advocating against e-mail-driven URL-based password reset/login, whereby the user doesn't enter any code, but must follow a URL.
The six digit code can be typed into a phony box put up by a malicious web site or application, which has inserted itself between the user and the legitimate site.
The malicious site presents phony UI promoting the user to initiate a coded login. Behind the scenes, the malicious site does that by contacting the genuine site, and provoking a coded login. The user goes to their inbox and copies the code to the malicious site's UI. The site then uses it to obtain a session with the genuine site, taking over the user's account.
A SSL protected URL cannot be so easily intercepted. The user clicks on it and it goes to the domain of the genuine site.
With email pasting the number into a random website is the expected flow and there is basically no protection (some phones have basic protections for SMS auth but even this only works if you are signing in on the same device).
1. It's pretty phishable. I think this is mostly solved, or at least greatly mitigated, by using a Slack-style magic sign-in link instead of a code that you have the user manually enter into the trusted UI. A phisher would have to get the user to copy-paste the URL from the email into their UI, instead of clicking the link or copy-pasting it into the address bar. That's an unusual enough action that most users probably won't default to doing it (and you could improve this by not showing the URL in HTML email, instead having users click an image, but that might cause usability problems). It's not quite fully unphishable, but it seems about as close as you can get without completely hiding the authentication secret from the user, which is what passkeys, Yubikeys, etc., do. I'd love to see the future where passkeys are the only way to log into most websites, but I think websites are reluctant to go there as long as the ecosystem is relatively immature.
2. It's not true multi-factor authn because an attacker only needs to compromise one thing (your inbox) to hijack your account. I have two objections to this argument:
a. This is already the case as long as you have an email-based password reset flow, which most consumer-facing websites are unwilling to go without. (Password reset emails are a bit less vulnerable to phishing because a user who didn't request one is more likely to be suspicious when one shows up in their inbox, but see point 1.)
b. True multi-factor authn for ordinary consumer websites never really worked, and especially doesn't work in the age of password managers. As long as those exist, anyone who possesses and is logged into the user's phone or laptop (the usual prerequisites for a possession-based second factor) can also get their password. Most websites should not be in the business of trying to use knowledge-based authentication on their users, because they can't know whether the secret really came from the user's memory or was instead stored somewhere, the latter case is far more common in practice, and only in the former case is it truly knowledge-based. Websites should instead authenticate only the device, and delegate to the device's own authentication system (which includes physical possession and likely also a lock secret and/or biometric) the task of authenticating the user in a secure multi-factor way.
* Mobile email clients that open links in an embedded browser. This confuses some people. From their perspective they never stay logged in, because every time they open their regular browser they don’t have a session (because it was created in the embedded browser) and have to request a login link again.
* Some people don’t have their email on the device they want to log in on.
Sending codes solves both of these problems (but then has the issues described in the article, and both share all the problems with sending emails)
The reason why magic links don't usually work across devices/browsers is to be sure that _whoever clicks the link_ is given access, and not necessarily whoever initiated the login process (who could be a bad actor)
If done naively with a simple magic link, yes.
> and if the user happens to click the link they've just given the attacker access to their account
Worse: if the user's UA “clicks the link” by making the GET request to generate a preview. The user might not even have opened the message for this to happen.
> Wouldn't that be incredibly insecure?
It can be mitigated somewhat by making the magic link go to a page that invites the user to click something that sends a post request. In theory the preview loophole might come into play here if the UA tries to be really clever, but I doubt this will happen.
Another option is to give the user the option to transfer the session to the originating UA, or stay where they are, if you detect that a different UA is used to open the magic link, but you'd have to be carful wording this so as to not confuse many users.
Off the cuff suggestions for improving UX in secure flows just make things worse.
Magic links are better than codes, but they don't work well for cross-device sign-in. What Nintendo does is pretty great: If I buy something on my switch, it shows me a QR code I take a picture of with my phone and complete the purchase there.
I agree it is "mostly solved" in that there are good examples out there, but this is a long way from the solution being "best practices" that users can expect the website/company to take security seriously.
> a. This is already the case as long as you have an email-based password reset flow
I hard-disagree:
If I get an email saying "Hi you are resetting your password, follow these directions to continue" and I didn't try to reset my password I will ignore that email.
If I have to type in random numbers from my email every few days, I'm probably going to do that on autopilot.
These things are not the same.
> anyone who possesses and is logged into the user's phone or laptop (the usual prerequisites for a possession-based second factor) can also get their password.
I do not know what kind of mickey-mouse devices you are using, but this is just not true on any device in my house.
Accessing the saved-password list on my computer or phone requires an authentication step, even if I am logged-in.
I also require second-authentication for mail and a most other things (like banking, facebook, chats, etc) since I do like to let my friends just "use my phone" to change something on spotify or look up an address in maps.
> Most websites should not be in the business of trying to use knowledge-based authentication on their users, because they can't know whether the secret really came from the user's memory or was instead stored somewhere
They can't know that anyway, and pretending they do puts people at risk of sophisticated attackers (who can recover the passkey) and unsophisticated incompetence on behalf of the website (who just send reset links without checking).
> Websites should instead authenticate only the device, and delegate to the device's own authentication system
I disagree: Websites have no hope of authenticating the device and are foolishly naive to try.
except I'm a user, not a device
>>I<< want to be authenticated, not my specific device that I'm going to switch at some point
If you enter your username, password, and totp, and the website tells you you've logged in from some device halfway across the planet you've never heard of, you probably have a problem.
1. authentication via password: accounts stolen by criminals and then inaccessible to the user.
2. authentication via passkey: accounts lost by users because passkeys have friction, to say the least, when devices are lost/stolen/transferred.
It seems that big providers would much rather scenario 2.
Nevermind. that pretty much all services treat the second factor as more secure than my 20 character random password saved in a local password safe. And those second factors are, lets see, plain text over SMS, plain text over the internet to an email address, etc, etc, etc.
I appreciate most people log in and stay logged in but I frequently switch Spotify accounts and I use passwords to log in, instead of letting me choose password or a 6 digit code, every time I try and change account a needless 6 digit code is generated and sent to a shared inbox, a huge waste of resources and storage. In addition to being a security concern as flagged throughout this thread.
Try multi-account containers so no need to log out? (Or Island on Android?)
If anyone would be interested I could write it up? I was surprised what a nice user flow it is and how easy it was to achieve.
[0] https://goauthentik.io/
With a username and password field, these are automatically correctly filled by Safari.
With sites that only offer an email field, I have to manually fill it.
(Note that I tend to use different emails for different sites; if you only ever use one email this might not be a problem).
Email magic links are more phishing resistant - the email contains a link that authenticates the device where the link was clicked. To replicate the same attack, the user would have to send the entire link to the attacker, which is hopefully harder to socially engineer.
But magic links are annoying when I want to sign in from my desktop computer that doesn't have access to my email. In that case OTP is more convenient, since I can just read the code from my phone.
I think passkeys are a great option. I use a password manager for passkeys, but most people will use platform-provided keys that are stuck in one ecosystem (Google/Apple/MS). You probably need a way to register a new device, which brings you back again to email OTP or magic link (even if only as an account recovery option).
While the premise is correct -- it's easy to complain but the author also provides zero recommendations on what is a better form of MFA.
It's about email as single factor auth, which has become very trendy of late. You just enter your email address, no password, and the email you a code. Access to your email is the only authentication.
That's not MFA. MFA stands for multi-factor authentication. If the authentication only requires a code sent to an email OR phone number, that's just a single factor.
I must be in the wrong bubble, I have not encountered any site that does this since the 2000s. It was a minor trend around then IIRC.
Patreon can do that too, depending on how you sign up.
The entire email login flow is completely retarded. It’s not even secure.
- Enter an email address or phone number
Thats not just email, that's also SMS.
It’s about single factor, password logins, using a one-time-token
The very first bullet point states: Enter an email address or phone number
That insinuates email OR SMS.
It doesn't just mention email only.
The authentication factors of a multi-factor authentication scheme may include: 1. Something the user has: Any physical object in the possession of the user, such as a security token (USB stick), a bank card, a key, a phone that can be reached at a certain number, etc. 2. Something the user knows: Certain knowledge only known to the user, such as a password, PIN, PUK, etc. 3. Something the user is: Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
Email and phone are both in category one, comprising only one unique factor.
I’m pretty sure we can prevent this by issuing some kind of proof of agreement (with sender and recipient info) thru email services. Joining a service becomes submitting a proof to the service, and any attempt to contact the user from the service side must be sealed with the proof. Mix in some signing and HMAC this should be doable. I mean, IF we really want to extend the email standard.
Most leaked passwords online come initially from leaked hashes, which bad actors use tools like hashcat to crack.
If your user has a password like "password123" and the hash gets out, then the password is effectively out too, since people can easily lookup the hash of previous cracked passwords like "password123".
[0] https://en.wikipedia.org/wiki/Salt_(cryptography)
So even 7 years ago bcrypt was only the 3rd recommended option.
This is not good for the user.
Passkeys would be so much easier, convenient and so much more secure. I really don't understand why they go for this.
A better workflow is to send the user a link where they can set their initial password themselves.
Just like sending large files over the internet.
So I asked my friend Miss Chatty [1] about it. Hopefully this will help anyone who is as confused as I was.
https://chatgpt.com/share/68947f35-0a10-8012-9ae9-adadc3df8b...
[1] Siri and Alexa get to have cool names, so why can't ChatGPT?
If they actually are passwords, yes, my password manager is a better UX than having to fetch my phone, open SMS, wait for the SMS, like good grief it's all so slow.
(In the 2FA form, I'd prefer TOTP over SMS-OTP, but the difference is less there.)
A passphrase is basically like a password in the sense that I can lose it, but it's not like a password in the sense that I can actually memorise it. (Or rather, all of them)
I prefer my passwordstore workflow.
I remember two passwords, the rest is kept save for me and unlocked when I need them.
It's not perfect, but it's by far the least worse solution of them all.
(I do agree with you about backups being essential, but my conclusion was "the idea is fundamentally flawed," rather than "it's one tweak away from greatness.")
Perhaps there ought to be a well-known, "ACME" password-changing API such that a password manager could hypothetically change every password for every service contained in an automated fashion.
https://www.ledger.com/blog/strengthen-the-security-of-your-...
https://github.com/LedgerHQ/app-security-key/issues/6
https://github.com/LedgerHQ/app-security-key/issues/7
Is Trezor implementation more mature?
It's copied over from FIDO hardware keys where each device type needed to be identifiable so higher tier ones could be required or unsecured development versions could be blocked.
Because these passkeys are stored in the Cloud and synced to your providers account (i.e. Google/Apple/1Password etc), they can't support attestation. It leads to a scenario where Relying Parties (the apps consuming the passkey), cannot react to incidents in passkey providers.
For example: If tomorrow, 1Password was breached and all their cloud-stored passkeys were leaked, RP's have no way to identify and revoke the passkeys associated with that leak. Additionally, if a passkey provider turns out to be malicious, there is no way to block them.
What's missing is a standardized format for the export.
Let’s be honest all forms of auth suck and have pros and cons.
The real solution is detect weird logins because users cannot be trusted. That’s why we build for them!
1. You go to evil.example.com, which uses this flow.
2. It prompts you to enter your email. You do so, and you receive a code.
3. You enter the code at evil.example.com.
4. But actually what the evil backend did was automated a login attempt to, like, Shopify or some other site that also uses this pattern. You entered their code on evil.example.com. Now the evil backend has authenticated to Shopify or whatever as you.
For the username + password hack to work, the evil.example.com would have to look like Shopify, which is definitely more suspicious than if it's just a random legitimate-looking website.
1. A password manager shouldn't be vulnerable to putting your password in a phishing site.
2. If your password is leaked, an attacker can't use it without the TOTP.
Someone who doesn't use a password manager won't get the benefits of #1, so they can be phished even with a TOTP. But they will get the benefits of #2 (a leaked password isn't enough)
Passkeys assume/require the use of a password manager (called a "passkey provider")
* Electronic mail (the technology)
* An email message
* An email address
* An email inbox
In this example they mean email address.
bank.com sends you verification email, which you expect from foo.com as part of the sign-up verification process. For some bat shit crazy reason, you ignore that the email came from bank.com and not foo.com and you type in the secret code from the email into the foo.com to complete the sign up process.
And bam! the foo.com got into your bank account.
A complete nonsense but because it works in 0.000000000000001% of the time for some crazy niche cases in the real world, let's talk about it.
Look at this - https://news.ycombinator.com/item?id=44822267 - is this what this site is supposed to be now? Writing the article in the place of the author because the author couldn't be bothered to even form their own argument correctly? What the fuck?
The fact that this has been upvoted so high and allowed to stay on the front page is also a clear signal to others that this low-effort garbage is welcome here, which will only encourage others to post similarly worthless blogposts, lowering the overall quality of this site.
There are multiple comments in this very thread that are longer than this "article". My own comment is longer!