logoalt Hacker News

Onavo10/01/20240 repliesview on HN

Passkeys or WebAuthn, TOTP based 2FA (regardless of whether it's hardware or software based) is vulnerable to phishing. Protocols like WebAuthn are tied to the domain and is a lot trickier to compromise (at least not without significant effort).

A lot of people here are complacent when it comes to phishing because they believe "I am a big overpaid technical person on Hackers News, I am not dumb enough to fall for suspicious links unlike those dumb unwashed masses" but as most security people know, the sort of mass phishing attempts your grandma receives are relatively low effort compared to actual targeted spear phishing. A dedicated phishing attempt won't have broken English, CSS styling issues, weird punycode etc. It would be practically indistinguishable from the real thing unless you were specifically looking for it.