alt Hacker NewsPassword/TOTP does not protect you against phishing. The phishing site can forward the password and TOTP you type into the real system, gaining your access.
FIDO/WebAuthn/Passkeys protect you against phishing, because of the origin binding mentioned in the article. On the phishing site, the required credential cannot be generated, and so no matter how convincing it is you can't accidentally give them a credential to forward.
Phishing is what these systems were trying to defend against.
Now if you were to say that the move from plain FIDO tied to a hardware key to passkeys tied to a Google account was a lock-in ploy ---- then I might be more inclined to agree.
Replies
> The phishing site can forward the password and TOTP you type into the real system, gaining your access.
To me this seems harder to pull off than a fraudulent password reset (either via social engineering, or a hacked email account). My TOTP fell in the drink a few years back, and some accounts very hard to reset and others were too easy.
Considering there's an entire portion of the software industry built on accepting a user's credentials and also prompting them for their TOTP, I don't think this really matters.
It's not an acceptable trade-off. And the answer isn't, "Those third-parties shouldn't be asking for your password and TOTP," because that's not a realistic premise.