Passkey Redaction Attacks Subvert GitHub, Microsoft Authentication

Here are the key takeaways:

* Passkeys can be managed by password managers, but this comes with a tradeoff of relying on master passwords and second secret codes.
* Magic links for account recovery are considered a secure method, but they rely on email or SMS networks, which can be compromised.
* Ward links require security questions or backup code entry to use, adding an extra layer of security.
* Microsoft’s Entra ID and Intune products allow admins to configure conditional access policies that prevent proxied logins from succeeding.
* Many IAM solutions for enterprises allow admins to define the login and account recovery flow, enabling secure passwordless login flows using passkeys.
* Security teams should assume every login session is compromised and work to ensure that downgrading authentication methods breaks out of the existing session before continuing.
* Encouraging or requiring users to add multiple passkeys can prevent losing one from blocking access to an account.

Read more

Sign up to receive daily content in your inbox

We don’t spam! Read our privacy policy for more info.

Share This Article

Leave Comment

Your email address will not be published. Required fields are marked *

Daily Newsletter

Subscribe to our free daily newsletter to get the latest summarized updates