At this year’s DEF CON conference in Las Vegas, white hat security researcher Marek Tóth demonstrated how threat actors could use a clickjack attack to surreptitiously trigger and hijack a passkey-based authentication ceremony.
In the big picture, this is a story about how password managers could be tricked into divulging login information — either traditional credentials such as user IDs and passwords or credential-like artifacts associated with passkeys — to threat actors.
Are password managers to blame? Tóth — the researcher who discovered the exploit — suggests that they are, but the answer is more complicated.
Fully locking down any automated process is invariably the result of security in layers. Across the grand majority of use cases where digital security matters, there’s almost never a single silver bullet that wards off hackers. Depending on the layers of technology that combine to complete a workflow (for example, logging into a website), responsibility for the security of that process is shared by the parties that control each of those layers.
Yes, the password managers are one layer in stopping the exploit. But website operators and end-users — the parties in control of the other layers — must trade too much security for convenience in order for the exploit to work. Pointing fingers is useless. All parties at every layer must take action.
The big ideas behind passkeys
Every summer, the cybersecurity industry gathers in Las Vegas for the back-to-back Black Hat and DEF CON conferences, where security researchers take turns presenting their “big reveals.” During the year leading up to the event, these researchers work to discover new, unreported vulnerabilities. The bigger the vulnerability and the more users affected, the greater the attention (and possibly the financial reward) that awaits a researcher.
This year, several researchers announced a handful of issues that challenged the supposed superiority of passkeys as a login credential.
On ZDNET, David Berlind’s been writing a lot about passkeys and why, from the security and technical perspective, they’re immensely better than user IDs and passwords (even when additional factors of authentication are involved).
The three big ideas behind passkeys are:
- They cannot be guessed in the way passwords often can (and are).
- The same passkey cannot be reused across different websites and apps (the way passwords can).
- You cannot be tricked into divulging your passkeys to malicious actors (the way passwords can).
Unfortunately, despite their superiority, the passkey user experience varies so wildly from one website and app (collectively, “relying parties”) to the next that passkeys risk being globally rejected by users. Despite these barriers to adoption, and in the name of doing the most to protect yourself (often from yourself), my recommendation continues to be: Take advantage of passkeys whenever possible.
Additional Passkey news: 10 passkey survival tips: Prepare for your passwordless future now
Additional Passkey news: How passkeys work: The complete guide to your inevitable passwordless future
Source: ZDNet By: David Berlind