Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token.
So basically this is just idiot-proofing the system. If you aren’t the type of person to give your password or MFA token to another person, then passkeys don’t really make better security.
Don’t chalk it up to idiots. The quote mentions “MFA fatigue”, which is something that definitely happens.
If you’re a Windows user (and moreso if you play games on your computer), you certainly regularly have admin prompts. I’m pretty sure that, like everyone else, you just click OK without a second thought. That’s fatigue. Those prompts exist for a security reason, yet there are so many of them that they don’t register anymore and have lost all their meaning.
For my job, I often have to login into MS Azure, and there are days where I have to enter my MFA 3 or 4 times in a row. I expect it, so I don’t really look at the prompt anymore. I just enter the token to be done with it asap; that’s a security risk
It also doesn’t take into account the technological advances that scammers are using more and more. Get a phone call from your boss requesting something sensitive? How sure are you that it really is your boss and not an AI generated voice relying on data from LinkedIn, Facebook, etc. run through a ChatGPT style system to respond to all manner of small talk etc?
It also allows you to login without someone visually observing your password while typing it on a keyboard or on an untrusted device that could have a keylogger.
So basically this is just idiot-proofing the system. If you aren’t the type of person to give your password or MFA token to another person, then passkeys don’t really make better security.
Don’t chalk it up to idiots. The quote mentions “MFA fatigue”, which is something that definitely happens.
If you’re a Windows user (and moreso if you play games on your computer), you certainly regularly have admin prompts. I’m pretty sure that, like everyone else, you just click OK without a second thought. That’s fatigue. Those prompts exist for a security reason, yet there are so many of them that they don’t register anymore and have lost all their meaning.
For my job, I often have to login into MS Azure, and there are days where I have to enter my MFA 3 or 4 times in a row. I expect it, so I don’t really look at the prompt anymore. I just enter the token to be done with it asap; that’s a security risk
It also doesn’t take into account the technological advances that scammers are using more and more. Get a phone call from your boss requesting something sensitive? How sure are you that it really is your boss and not an AI generated voice relying on data from LinkedIn, Facebook, etc. run through a ChatGPT style system to respond to all manner of small talk etc?
It also allows you to login without someone visually observing your password while typing it on a keyboard or on an untrusted device that could have a keylogger.