this post was submitted on 24 Sep 2023
6 points (100.0% liked)

Programming

17351 readers
310 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev



founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[โ€“] SorteKanin@feddit.dk -1 points 1 year ago (1 children)

Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token.

So basically this is just idiot-proofing the system. If you aren't the type of person to give your password or MFA token to another person, then passkeys don't really make better security.

[โ€“] 0xc0ba17@sh.itjust.works 3 points 1 year ago

idiot-proofing

Don't chalk it up to idiots. The quote mentions "MFA fatigue", which is something that definitely happens.

If you're a Windows user (and moreso if you play games on your computer), you certainly regularly have admin prompts. I'm pretty sure that, like everyone else, you just click OK without a second thought. That's fatigue. Those prompts exist for a security reason, yet there are so many of them that they don't register anymore and have lost all their meaning.

For my job, I often have to login into MS Azure, and there are days where I have to enter my MFA 3 or 4 times in a row. I expect it, so I don't really look at the prompt anymore. I just enter the token to be done with it asap; that's a security risk