undefined | Better HN

0 pointsbadrabbit3y ago0 comments

Doesn't work that way. Passwords are inferior but still a strong layer of defense. You are putting all your eggs in one basket again. The lesson from passwords is that a single factor of authentication is inherently inferior to multiple factors of authentication. From a threat actor's perspective, even a yubikey is a matter of one well planned attack (physical, compromised host,etc) and by nature newer factors of auth don't get treated with hostility like with passwords. They are better than passwords but what I see is people moving away from MFA to only a yubikey for example. Like you are now one lost yubikey away from your whole company getting owned lol.

0 comments

PassageNick3y ago

Passwordless is MFA -- something you are and something you have.

I'm not a yubikey expert, but I don't believe that losing your Yubikey will open up your company to a breach.

For a typical passwordless solution, losing your phone isn't a risk, given that no one can reproduce your face or thumbprint.

badrabbitOP3y ago

Your face and thumbprint can easily be reproduced. There is even a guy that took a photo of a politicians' finger from a mile away and used that to forge their fingerprint. Even without going technical your dopplegangers can bypass face auth lol. You can guess spray pins and push notification codes. The one thing you can count on is someone will find a way around any good passwordless solution. For example, there is a "rdp in browser" phishing where a browser in the attackers vm does the actual auth but the user thinks it is in their browser so most passwordless methods are defeated by cookie theft like that.

PassageNick3y ago

If you can take a photograph of someone's fingerprint and reproduce it, how, exactly, does one use that?

PassageNick3y ago

....and can you explain the cookie theft thing a bit more?

j / k navigate · click thread line to collapse

0 pointsbadrabbit3y ago0 comments

0 comments

PassageNick3y ago

Passwordless is MFA -- something you are and something you have.

I'm not a yubikey expert, but I don't believe that losing your Yubikey will open up your company to a breach.

For a typical passwordless solution, losing your phone isn't a risk, given that no one can reproduce your face or thumbprint.

badrabbitOP3y ago

PassageNick3y ago

If you can take a photograph of someone's fingerprint and reproduce it, how, exactly, does one use that?

PassageNick3y ago

....and can you explain the cookie theft thing a bit more?

j / k navigate · click thread line to collapse