| ▲ | qurren 16 hours ago | |
> With a password, you open your password manager, copy the password in memory, paste it into the input field and trust that nobody could read it from your clipboard and that the program handling the password does it correctly. If your password leaks on the way, it's leaked. I don't do that. My password manager simulates keystrokes 2 seconds after I hit the button. I switch to the other window and my password gets punched in without going through the clipboard. Specifically to avoid this attack. > Currently I use my Yubikeys as passkeys I have Yubikeys but for 2FA. So we're back to 1FA now but just "something you have" and no "something you know" ? | ||
| ▲ | palata 16 hours ago | parent [-] | |
> I don't do that. My password manager simulates keystrokes 2 seconds after I hit the button. So a malware on your computer can just listen to the keystrokes, or read on the screen? If the OS is compromised, they can extract the password. With a passkey they can't. > So we're back to 1FA now but just "something you have" and no "something you know" ? You can set up a PIN on your Yubikey, so that's "something you have" and "something you know", and you can request physical presence ("touching the yubikey") on top. | ||