Malicious binary steals browser cookies giving attacker access to all active sessions?
It gets better. With malware on the box you own the primary refresh token, which can mint new browser tokens without needing passwords or MFA.
Definitely use FIDO2, but understand that it's not foolproof. Malware, OAuth phishing, XSS, DNS hijacking, etc. will still pwn you.
alt Hacker News
It gets better. With malware on the box you own the primary refresh token, which can mint new browser tokens without needing passwords or MFA.
Definitely use FIDO2, but understand that it's not foolproof. Malware, OAuth phishing, XSS, DNS hijacking, etc. will still pwn you.