"In the big picture, this is a story about how password managers could be tricked into divulging login information -- either traditional credentials such as user IDs and passwords or credential-like artifacts associated with passkeys -- to threat actors. Also: 10 passkey survival tips: Prepare for your passwordless future now Are password managers to blame? Tóth -- the researcher who discovered the exploit -- suggests that they are, but the answer is more complicated."
"Fully locking down any automated process is invariably the result of security in layers. Across the grand majority of use cases where digital security matters, there's almost never a single silver bullet that wards off hackers. Depending on the layers of technology that combine to complete a workflow (for example, logging into a website), responsibility for the security of that process is shared by the parties that control each of those layers."
A researcher developed an exploit that hijacks passkey authentication under a specific combination of pre-existing conditions. The exploit can trick password managers into divulging traditional credentials such as user IDs and passwords, or credential-like artifacts associated with passkeys, to threat actors. Neither the passkeys themselves nor the underlying protocol were proven vulnerable by the demonstration. Successful exploitation requires that website operators and end-users trade security for convenience in the authentication flow. Effective defense depends on layered security controls implemented by password managers, websites, and users. All parties at every layer must take action to reduce risk.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]