@troyhunt almost every large service still has SMS account recovery, as account recovery is king. Also Evilginx can just remove the Passkey auth option in the sign in flow, whilst phishing.
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 29-Mar-2025 20:44:02 JST Kevin Beaumont
-
Embed this notice
Troy Hunt (troyhunt@infosec.exchange)'s status on Saturday, 29-Mar-2025 20:44:03 JST Troy Hunt
I'm writing up a blog post called "Passkeys for Normal People", which is a non-trivial exercise. For example, whilst LinkedIn "supports" passkeys, it doesn't seem to allow using them as a second factor *or* a sole factor, so you're still left with passwords and OTPs. Correct?
-
Embed this notice