> Otherwise people would be tricked into giving away passkeys much like they are with passwords today.
Is this really a common attack vector vs. a company leaking their whole customer database and a bunch of password being revealed that way?
> Otherwise people would be tricked into giving away passkeys much like they are with passwords today.
Is this really a common attack vector vs. a company leaking their whole customer database and a bunch of password being revealed that way?
Yes, it's called phishing.
Phishing is different (from the user's POV) than exporting a password and "giving it away". I don't see how phishing would be applicable to passkey exports.
> Phishing is different
Nope, it's exactly that: tricking people into believing that they are exporting their passkey securely where actually they are sharing it with the attacker.
> I don't see how phishing would be applicable to passkey exports.
Phishing is applicable to everything humans can do: if you can ask a human to do it, you can phish a human to do it.
Not sure why this is being downvoted. This user (palata) is correct — phishing is any attempt by an attacker to trick a user into giving up sensitive information.
For anyone who is confused:
https://www.cloudflare.com/learning/access-management/phishi...
Not yet. It's a more complex variation on phishing, but not complex enough that it wouldn't happen if scammers needed it to.