Comment by Borealid
You can't provide a passkey to a malicious site without writing your own web browser. And the "password" is a 128-bit integer.
It completely solves the phishing-password-stealing problem.
You can't provide a passkey to a malicious site without writing your own web browser. And the "password" is a 128-bit integer.
It completely solves the phishing-password-stealing problem.
I think a passkey is a good example of how, when the user has a trusted third party grant them limited instead of unlimited permission to do something (e.g. they can use a secret with the site that created it but they can't extract the raw secret from it to send to an arbitrary site), it is possible to make them immune to a particular type of phishing.
As an example of mitigating another type of phishing, if the user only has the ability to log in to a web site from a particular device or country, an attacker tricking them into providing their password gets a much less useful win.
You could argue they have the "right to do" less in that situation. Sure, that's a reasonable perspective. I'm not passing moral judgement here. But I think that it is a factually true statement that it is indeed possible to mitigate (and even entirely prevent) phishing vulnerabilities by giving end users devices that have stronger security policies - with those policies being written by the device creator, and not edited by the end user themself.
I think this principle applies to every single type of social engineering attack. Limiting the context of permissions lessens the risk of a confused deputy.
I am not sure what you are trying to say.
Security is a gradient. At some point, adding security means reducing freedom. It is a societal choice where you stop. If you put all the humans in your country in a jail, each in a separate cell, never let them go out and just bring them food, then there will be no crime in your country. But nobody wants that.
> I think this principle applies to every single type of social engineering attack. Limiting the context of permissions lessens the risk of a confused deputy.
A confused deputy is a computer program. We're talking about phishing.
Originally you were positing that phishing (specifically password phishing) was not preventable.
Now you are arguing that by restricting users' permissions it is possible to move along the security gradient, potentially to a point where phishing is not a viable threat.
I agree.
As I said, I was talking about phishing generally. Password was an example, and passkeys do help with some of the pain there, for sure.
> potentially to a point where phishing is not a viable threat
You keep ignoring the parts that are inconvenient to you :-). I said that at some point, increasing security means decreasing the freedom. It's a compromise. And as long as people have some freedom, someone will be able to abuse it. Phishing will always exist. The only way to prevent phishing entirely is to remove all the rights of everybody. If I cannot do anything, then I cannot do anything wrong. As long as I can do something, I can do it wrong. Phishing fundamentally leverages that.
That was an example, I was talking about phishing in general. Phishing will always exist: as long as a human has a right to do something, someone else can trick this human into doing it for them.
Passkeys are great, and they do improve the situation. But they won't remove phishing as a concept.