The Passkey Hijack

What really went down?

Is the savior of authentication, the bane of hackers in trouble?

A quick post. It's in the link

Your passkeys could be vulnerable to attack, and everyone - including you - must act

When a clickjack attack managed to hijack a passkey authentication ceremony, were password managers really to blame? ZDNET’s investigation reveals a more complicated answer.

ZDNETDavid Berlind

Finally, despite the potential for a threat actor to hijack a passkey authentication ceremony once the non-trivial preconditions are met, Tóth's exploit offers additional evidence that passkeys are more secure than traditional credentials. Session-binding renders the one-time passkey-generated golden ticket unusable from the attacker's system. However, it does nothing to stop the threat actor's exfiltration of the user's ID and password when Tóth's clickjack attack encounters an attempt to authenticate with those traditional credentials versus the more time-sensitive and secure passkeys.

So, the technology is sound, the implementation is shaky depending on whether it's the password manager, the FIDO device, browser or service to which it applies. In other words programming. Bloody programmers 😂

Groan

#enoughsaid