Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.
Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.
Arguably, it’s more like someone is able to hide the door altogether and force you to climb through the less-well-secured window. The fact that they can hide the door at all makes its locks meaningless.
I get that this is an inherent problem of security mechanisms in general and not of passkeys in particular. But it still reduces passkeys to just fancy passwords. They’re obviously not any more reliable in practice.