1·
8 days agoThat’s literally no different from a regular password manager or having a 2FA TOTP code app set up for it
Natanael
Cryptography nerd
Fediverse accounts;
Natanael@slrpnk.net (main)
Natanael@infosec.pub
Natanael@lemmy.zip
Lemmy moderation account: @TrustedThirdParty@infosec.pub - !crypto@infosec.pub
@Natanael_L@mastodon.social
Bluesky: natanael.bsky.social
- 0 Posts
- 13 Comments
Joined 2 months ago
Cake day: January 18th, 2025
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
It literally just takes a slightly different domain name. Lots of infosec pros have been phished when not paying attention
Passkeys use unique keys per site for that reason
TOTP codes can be phished, hardware security keys and passkey can’t
Google Chrome on PC can let you verify from the phone to unlock passkeys
TOTP can be phished remotely, passkeys / hardware security keys can’t (need to get malware into the users’ computer instead)
The synchronization part is the annoying part. And when you have multiple accounts on one site you can end up with multiple passkeys for it.
They’re using the same standard as FIDO2 / WebAuthn hardware security keys. The protocol is phishing resistant, unlike TOTP and similar one time code solutions.
I prefer the physical ones, because they’re easy to organize. Passkey synchronization can be annoying.
2·14 days agoIf you’ve already noticed incoming traffic is weird, you try to look for what distinguishes the sources you don’t want. You write rules looking at the behaviors like user agent, order of requests, IP ranges, etc, and put it in your web server and tells it to check if the incoming request matches the rules as a session starts.
Unless you’re a high value target for them, they won’t put endless resources into making their systems mimic regular clients. They might keep changing IP ranges, but that usually happens ~weekly and you can just check the logs and ban new ranges within minutes. Changing client behavior to blend in is harder at scale - bots simply won’t look for the same things as humans in the same ways, they’re too consistent, even when they try to be random they’re too consistently random.
When enough rules match, you throw in either a redirect or an internal URL rewrite rule for that session to point them to something different.
The trick is distinguishing them by behavior and switching what you serve them
Yes, but not as widespread.
Multiple toolmaking skills has been lost and had to be rediscovered. Metalworking, mechanical computers (clockworks), etc.
Secrecy in trades and lack of documentation used to be the main cause. Now the cause is lack of interest…
Interviewers look for excess confidence, not skill
Passkeys can be synchronized, but aren’t intended to be exported raw as they’re meant to be used with a TPM / secure element chip or equivalent secure hardware to protect the key in use. Bitwarden can synchronize them.
Also, they intentionally create distinct keys per site, so you can’t link multiple accounts using the same passkey / hardware security key.