| ▲ | yawaramin 3 days ago | |
With passkeys there is nothing to check manually. If it works, you know it's the domain you registered on. If it doesn't work, you log in with a non-phishable auth method like emailed magic link, then register a new passkey. You could claim that a phishing site could set up their own passkey registration system–but that still wouldn't give them access to the target's real account. | ||
| ▲ | diggan 3 days ago | parent [-] | |
> With passkeys there is nothing to check manually. If it works, you know it's the domain you registered on. If it doesn't work, So exactly the same as password managers, there is no functional difference if you were using a password manager... | ||