| ▲ | geocar 9 days ago | |||||||
> The attack pattern is: There are lots of attack patterns. That is one. I am not certain I believe it is very likely, because (a) I think "sign-in partner" is obvious bullshit, and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but... > Passkeys is the way to go. ... I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money. ... I do not agree your story is justification for passkeys, or for letting banks trust passkeys for authentication purposes. I'd rather she not lose access to banking services in the first place: I don't think banks should be allowed to do that, and I do not think it should be possible for someone to "steal all her money" so quickly -- Right now you should have at least several days to fix such a thing with no serious inconvenience beyond a few hours on the phone. I think it is important to keep that, and for banking consumers to demand that from their bank. A "granny" friend of mine got beekeeper'd last year[1] and her bank reversed/cancelled the transfers when she was able to call the next say and I (local techdude) helped backup/restore her laptop. I do not think passkeys would helped and perhaps made things much worse. But I don't just disagree with the idea that passkeys are useful, or even the premise of a decision here between losing all their money and choosing passkeys, I also disagree with your priors: Having to visit a bank branch is a huge inconvenience for me because I have to fly to my nearest. I don't know how many people around here keep the kind of cash they would need on-hand if they suddenly lost access to banking services and needed to fly to recover them. I think passkeys are largely security-theatre and should not be adopted simply if only so it will be harder for banks to convince people that someone should be able to steal all their money/access with the passkey. This is just nonsense. [1]: seriously: fake antivirus software invoice and everything, and her and her kid who is my age just saw the movie in theatres in like the previous week. bananas. | ||||||||
| ▲ | account42 9 days ago | parent | next [-] | |||||||
> I am not certain I believe it is very likely, because (a) I think "sign-in partner" is obvious bullshit It's looks almost the same as the log-in-with-big-tech flow that users are already used to. > and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but... You enter it on the website you are trying to log into and where you initiated the action, which in this scenario is the BAD website. | ||||||||
| ||||||||
| ▲ | Findecanor 9 days ago | parent | prev | next [-] | |||||||
> I am not certain I believe it is very likely, because (a) I think "sign-in partner" is obvious bullshit, and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but... You and I think they are bullshit, but ... the problem is that bullshit is sometimes genuine. I have got tired of how many times in recent years I have seen things that looked like phishing or had obvious UX-security flaws and reported them only to have got a reply from customer service that the emails and sites were genuine and that they have no intention of improving. If janky patterns is the norm, then regular users will not be able to recognise the good-but-janky from the scams. | ||||||||
| ▲ | pavon 9 days ago | parent | prev | next [-] | |||||||
> I am not certain I believe it is very likely, because (a) I think "sign-in partner" is obvious bullshit, and (b) I don't understand why I would never enter a code into the wrong website. I believe it can be possible, but... Now replace email a with text message sent from a short-code. | ||||||||
| ▲ | FabHK 9 days ago | parent | prev | next [-] | |||||||
> I don't understand why I would never enter a code into the wrong website That's what phishing is predicated on, and it seems to be successful enough. | ||||||||
| ▲ | rightbyte 9 days ago | parent | prev | next [-] | |||||||
It is all bananas. The old way with a local key on the computer and some silly Java program, a physical dongle to validate transactions with a number printed on a display, was way more fool proof. Then the banks wanted you to use the dongle to verify yourself on phone and it all went downhill from there. | ||||||||
| ▲ | pbhjpbhj 9 days ago | parent | prev [-] | |||||||
>(a) I think "sign-in partner" is obvious bullshit Nearly every website tries to offer Google or Microsoft based sign in, "sign in partners" are commonplace. | ||||||||