While true, session hijacking is the already prolific vulnerability left wide open that passkeys actually make harder to deal with. (Edit: as in mitigate the attack once is happened)
Instead of a scammer getting grandma to read her SMS TOTP on the phone (easier than Sim swapping, but only barely), she gets a call to go to a URL and enter her passkey manager PIN to OK sessions across everything she has passkeys for. Most already open in 800 open browser tabs.
And when her passkey is compromised, how quickly will Google customer service act to get her a new one? A few days? Longer?
What problem is actually solved here? Passkeys are about saving money for the companies on password reset server time.
Passkeys are about saving money for the companies on password reset server time.
Lol, no. They don’t care about the extra 0.001% expense. Passkeys are mainly to protect the average user from their own stupidity. Grandma is far more likely to use the same shit password across many sites. Most average users are.
Google, MS, and Meta each have millions of accounts they manage. Billions for Meta. Their the ones pushing this.
The average user needs 2 resets a year at the enterprise level. Let’s say that the Meta self-service system uses $0.01 in total costs to process one request. For Meta alone, that’s $20 million a year, not even taking into account all the shitty “fraud prevention” stuff they have to go.
So if you can change your system to make the grandma that’s driving up the average have to use a passkey, it saves Meta money - AND gives someone managing the passkey more granular data access. It doesn’t help Grandma out at all, all things considered.
Yeah this guy is grossly overestimating the intelligence of businesses when it comes to software. I’ve seen a major company spending 20000+ a month on aws for servers they never used. And that was just for a single site, I can only imagine what’s going on in other branches of the company.
Not at all, Google, Meta, and MS spend a lot of resources resetting passwords across literally tens of millions of accounts. It ads up at scale, and it’s not even insignificant at the enterprise level.
While true, session hijacking is the already prolific vulnerability left wide open that passkeys actually make harder to deal with. (Edit: as in mitigate the attack once is happened)
Instead of a scammer getting grandma to read her SMS TOTP on the phone (easier than Sim swapping, but only barely), she gets a call to go to a URL and enter her passkey manager PIN to OK sessions across everything she has passkeys for. Most already open in 800 open browser tabs.
And when her passkey is compromised, how quickly will Google customer service act to get her a new one? A few days? Longer?
What problem is actually solved here? Passkeys are about saving money for the companies on password reset server time.
I feel personally attacked by this
Lol, no. They don’t care about the extra 0.001% expense. Passkeys are mainly to protect the average user from their own stupidity. Grandma is far more likely to use the same shit password across many sites. Most average users are.
They do care, because it adds up at scale.
Google, MS, and Meta each have millions of accounts they manage. Billions for Meta. Their the ones pushing this.
The average user needs 2 resets a year at the enterprise level. Let’s say that the Meta self-service system uses $0.01 in total costs to process one request. For Meta alone, that’s $20 million a year, not even taking into account all the shitty “fraud prevention” stuff they have to go.
So if you can change your system to make the grandma that’s driving up the average have to use a passkey, it saves Meta money - AND gives someone managing the passkey more granular data access. It doesn’t help Grandma out at all, all things considered.
https://www.bleepingcomputer.com/news/security/the-true-and-surprising-cost-of-forgotten-passwords/
Yeah this guy is grossly overestimating the intelligence of businesses when it comes to software. I’ve seen a major company spending 20000+ a month on aws for servers they never used. And that was just for a single site, I can only imagine what’s going on in other branches of the company.
Not at all, Google, Meta, and MS spend a lot of resources resetting passwords across literally tens of millions of accounts. It ads up at scale, and it’s not even insignificant at the enterprise level.
https://www.bleepingcomputer.com/news/security/the-true-and-surprising-cost-of-forgotten-passwords/