zlacker

It's because OTP is trivially phishable: setup a fake login form that asks the user for their username and password, then forwards those on to the real system and triggers the OTP request, then requests THAT of the user and forwards their response.

Passkeys fix that.

>>simonw+(OP)
Except if you use a proper password manager that prevents you from using the autofill on domains/pages others than the hardcoded ones. In my case, it would immediately trigger my "sus filter" if the automatic prompt doesn't show up and I would have to manually find the entry.

>>diggan+32
And yet that's not enough, even when someone very definitely knows better: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mail...

Turns out that under certain conditions, such as severe exhaustion, that "sus filter" just... doesn't turn on quickly enough. The aim of passkeys is to ensure that it _cannot_ happen, no matter how exhausted/stressed/etc someone is. I'm not familiar enough with passkeys to pass judgement on them, but I do think there's a real problem they're trying to solve.

>>ipsi+q5
If you're saying something is less secure because the users might suffer from "severe exhaustion", then I know that there aren't any proper arguments for migrating to it. Thanks for confirming I can continue using OTP without feeling like I might be missing something :)

>>diggan+g7
> If you're saying something is less secure because the users might suffer from "severe exhaustion"

Something "$5 wrench"

https://xkcd.com/538/

>>diggan+g7
Passkeys genuinely do protect against severe exhaustion attacks.

>>simonw+ML
Yeah, but they genuinely also prevent you from moving away from companies in the process of enshittification, since the whole export/import thing seemingly hasn't been figured out or even less been deployed yet.

Besides, if you ignore security alarm-bells going off when exhausted, I'm not sure what solution can 100% protect you.