Erik van Straten<p><span class="h-card" translate="no"><a href="https://tech.lgbt/@nekodojo" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>nekodojo</span></a></span> <span class="h-card" translate="no"><a href="https://federate.social/@jik" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jik</span></a></span> : thank you for sharing your thoughts!</p><p>To add to them: a TOTP app is a stupid password manager. Most people do not understand that it more than doubles your risk of account lockout.</p><p>And that is apart from other risks excellently described Conor Gilsenan (<span class="h-card" translate="no"><a href="https://infosec.exchange/@conorgil" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>conorgil</span></a></span> ) et al. in <a href="https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">usenix.org/conference/usenixse</span><span class="invisible">curity23/presentation/gilsenan</span></a> (and <a href="https://github.com/blues-lab/totp-app-analysis-public" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/blues-lab/totp-app-</span><span class="invisible">analysis-public</span></a>).</p><p>Twilio Authy being one of the worst (echoed by <a href="https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/</span></a>).</p><p>And, like SMS, TOTP apps do not protect against non-dumb AitM * attacks (Microsoft's endlessly repeated 99.9% reduction in change of getting hacked when using 2FA, extremely irritates me - considering <a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/all-your-creds-are-belong-to-us/855124" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">techcommunity.microsoft.com/bl</span><span class="invisible">og/microsoft-entra-blog/all-your-creds-are-belong-to-us/855124</span></a> from 2019 - and, although an advertisement, IMO a good article: <a href="https://www.bleepingcomputer.com/news/security/mfa-matters-but-it-isnt-enough-on-its-own/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/mfa-matters-but-it-isnt-enough-on-its-own/</span></a>).</p><p>* Attacker/Adversary in the Middle.</p><p>IMO, the nr. 1 advantage of passkeys is the "built in" domain name check - which makes phishing attacks a *lot* harder (albeit not impossible: <a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914050216821746</span></a>).</p><p>The fact that stealing private keys is next to impossible, does not protect against device or browser compromise: after logging in using your ultra-secure MFA, your authentication gets replaced by a 1FA session cookie (or something similar). Most websites do NOT bind such cookies to the client's IP-address, making them prime "copytheft" targets (<a href="https://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">labs.beazley.security/articles</span><span class="invisible">/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem</span></a>).</p><p>Also, for an attacker with access to your credentials record on a webserver, indeed there's no point in "copystealing" your passkey's/YubiKey's public key. However, the attacker can REPLACE your pubkey with theirs, or add their own. Those pubkeys are NOT wrapped in a certificate (signed by a *trustworthy* third party) proving who generated the keypair. And there are no revocation facilities in case your device gets stolen.</p><p>Furthermore, passkey downgrade-to-weaker-auth attacks pose a threat BECAUSE you MAY lose them (or access to them).</p><p>For example, on Android, if you want to change (or remove) your "sync passprase", Google tells you to tap "Delete data" (see the screenshot below). Adam Langley's (<span class="h-card" translate="no"><a href="https://infosec.exchange/@agl" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>agl</span></a></span> ) pathetic joke "This might delete some data from your devices" [1] actually means that "you'll lose all of your passkeys" (on all of your synced Android devices; contrary to popular belief, Android passkeys are cloud based).</p><p>[1] <a href="https://seclists.org/fulldisclosure/2024/Feb/15" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">seclists.org/fulldisclosure/20</span><span class="invisible">24/Feb/15</span></a></p><p>A decent password manager that checks for the domain name (i.e. using AutoFill on Android or iOS/iPadOS) is not a bad idea after all.</p><p>Online auth is HARD. Let's not lie that it can be made simple.<br> </p><p><a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/SMS2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMS2FA</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/WebAutn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebAutn</span></a> <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> <a href="https://infosec.exchange/tags/Yubikkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Yubikkey</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OnlineAuthentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwords</span></a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManager</span></a> <a href="https://infosec.exchange/tags/AutoFill" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AutoFill</span></a></p>