Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Surely people can still phish for the user to insert their hardware key to approve something malicious?


What is phishing resistant MFA? - https://www.sans.org/blog/what-is-phishing-resistant-mfa


Exactly. 'Resistant' not 'impenitrable'.

The article itself says that 100% phishing resistance is impossible. So I stand by my arguement that if you give an idiot a Yubikey, it still doesnt save them from themselves.

>Does this technology eliminate all risk? No. As this becomes widely deployed new attacks will be developed, but it will be MUCH harder for the cyber attacker.

> FIDO is extremely resistant to phishing attacks but adopting FIDO does not mean your organization is secure against phishing.


Hardware keys (unlike humans) usually check page URL and do not send the data stored by another domain.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: