Passkeys address the phishing angle, but as always it’s a trade off.
With passkeys if someone gets remote control of your computer they have access to everything you setup a passkey for.
Typically people say “well full remote control is far less common than phishing”, and it is, for now, until everyone’s using passkeys and all of the sophisticated phishing attack effort just shifts to passkeys.
The obvious weak point here is all of the outsourced IT who aren’t specifically focused on cybersecurity. Every IT company is using multiple tools for central management that either allows remote control or remote execution, or there’s always in-house developers who realistically aren’t doing a security analysis of every third-party library they’re installing.
With passkeys if someone gets remote control of your computer they have access to everything you setup a passkey for.
Typically people say “well full remote control is far less common than phishing”, and it is, for now, until everyone’s using passkeys and all of the sophisticated phishing attack effort just shifts to passkeys.
The obvious weak point here is all of the outsourced IT who aren’t specifically focused on cybersecurity. Every IT company is using multiple tools for central management that either allows remote control or remote execution, or there’s always in-house developers who realistically aren’t doing a security analysis of every third-party library they’re installing.