Show threadErik van StratenDec 4

@pake_preacher : I forgot the details of PAKE and SRP, but in the end the most secure client authentication requires:

1️⃣ Strong, long term, human comprehensible, *serving endpoint* authentication;
*AND*
2️⃣ TLS channel binding (enforcing known endpoints).

(Apart from those, both serving endpoint AND client MUST be trustworthy).

🚨 The -corrupt- CA/B forum breaks 1️⃣ by:
a) Advocating anonymous Domain Validated certificates, which render secure account creation IMPOSSIBLE;
b) Continuously decreasing certificate lifetime.

🚨 Furthermore, "legitimate" MitM's * break 2️⃣.

* Man in the Middle, like on-device virusscanners and firewalls that "open" TLS tunnels (both requiring installation of a dedicated root certificate) and proxies such as (definitely not limited to) Cloudflare and Fastly.

😱 Passkeys enforce NEITHER 1️⃣ NOR 2️⃣.

😱😱 Worse, because passkeys (or FIDO2 hardware keys) can be easily irretrievably "lost", servers typically provide WAY EASIER phishable authentication methods (such as "rescue codes").

@cendyne @soatok @chazh

#AitM #MitM #SecureOnlineAuthIsHARD #SecureAuthentication #OnlineAuthentication #Authentication #Impersonation #ChannelBinding #TLSchannelBinding #UTM #TLS #TLSinterception #TLSscanning #Proxy #Proxies #GoogleIsEvil #CloudflareIsEvil

eliza-ngMay 4, 2023
Are Passkeys the future of online authentication or a cause for concern? Check out our latest blog post to learn more about this new technology
https://www.eliza-ng.me/post/passkeysauthent/
#Passkeys #OnlineAuthentication #Cybersecurity
Passkeys: The Future of Online Authentication or Cause for Concern?

In recent years, there has been a lot of talk surrounding the need to move away from traditional passwords as a means of authentication due to their vulnerabilities to attacks such as phishing and hacking. In response, companies like Google and Apple have been developing alternative methods, such as passkeys, to provide users with more secure means of accessing their online accounts. But what exactly are passkeys, and how do they compare to traditional authentication factors like passwords and biometrics?