Could you expand on how to trick a password manager to enter the password on a fake domain ?

I'd see having the user add the domain themselves, or get the user to copy/past the password themselves on some other form. But the phishing is not happening on the password manager side, and these use cases still exist even after you chose passkeys (i.e. I'd still need to somewhat log into Google's auth from my Nest hub for instance to have it show the calendar)

It happens to me very regularly that a password in my password manager is needed on a different domain. Maybe the logon process is at id.domain.com and password is pinned to domain.com, or maybe the password was created at signup.domain.com and so it doesn't pop up on domain.com, or you have to log in to a hotel's site with the password from their reward scheme (different domain), etc...

In any case users are trained by the internet to need to search for the right password outside the pinned domains. Most of the time I guarantee people don't add the extra domains to the password records. So when a phishing site pops up they'll do the same: search for the site name/domain that they think they're logging into and go from there.

Password managers solve password reuse, weak passwords, etc. but IMO do not solve phishing, especially not for the kind of user who's most susceptible t it (little technical understand, hates this stuff, just wants to follow instructions and not deal with it), but passkeys might.

At least on Bitwarden you can just edit the domain if that comes up a lot for you (or even add multiple domains to a password). I'd rather do that than copy/paste on a regular basis. Honestly I can't say I ever copy/paste.

Yeah, I do this too, but many people I know wouldn't even think about the fact that they could do that, or why they would. They just know that whatever password manager they use doesn't find the password but if they search for it, it's there. So they do that and get on with their lives, inadvertently opening up an avenue for phishing.

Thanks for your explanations. It's all the more reason to be pissed about what the big corporations are doing.

I'm totally with you.

These issues won't be solved unless passkeys work absolutely everywhere the user has to authenticate. Logon required or weird and funky domains is currently due to service providers being a mess themselves (I'm looking at you, Microsoft). So should we expect them to miraculously get their act together and have each of these system flawlessly work with their passkey auth. from now on ?

That's where I think we're stuck with that class of issue for as long as there are multiple auth systems, passkeys or not.

Also autofill is just broken by some sites and app login screens, so users are used to looking at and typing their passwords every now and then.

And, of course, the malicious site can arrange for autofill to be broken.

There can be vulnerabilities, this is clearly the hottest attack surface of password managers. I remember a few years ago Tavis Ormandy from Google Project Zero found such vulnerabilities in a bunch of the most popular password managers which allowed to steal credentials from a rogue website.

I'd still recommend using a password manager, as overall and in practice the risk of phishing and (re)using (weak) passwords is far greater than this kind of rare vulnerabilities (and also I work for a company that makes a password manager ^^)

See https://lock.cmpxchg8b.com/passmgrs.html if you'd like to know more

> With passkeys it's literally impossible.

I dunno about you. But I like being able to get my passwords out of the password manager. How is not being able to do so a feature?

The metaphor might be a bit esoteric, but that's similar to wishing that Hardware Security Modules (HSMs) allowed you "get your <private keys>" out of the HSM. As sibling comment says, that's how you get phished. The whole point of an HSM (and a passkey) is that the super-secret private part never leaves the HSM no matter how nicely you ask and no matter how compromised the machine is.

A password manager, OTOH, is happy to hand out your private key ("password" in this case) to anyone that has access to it.

Yes, but I don’t want vendor lockin.

I want to move my passkeys where I want and use tools I want.

Not allowing anyway of changing passkeys is terrible. Imagine someone switches from IOS to android. How do they use their passkeys?

Even if they had a big “warning don’t do this” sign it would be better than not allowing it in anyway.

It's a middle ground. You should be able to move passkeys from one vendor to another with some export process but the secret key is not exposed when you use it which reduces the risk of having it stolen

> Not allowing anyway of changing passkeys is terrible.

Who says you can't change your passkeys? Just log into the site with your existing passkey (or other 2FA) and change it.

Sure, I'll just log into all 500+ sites I have logins for and update them.

It's not that kind of impossible. It means that even if you are tricked into giving your passkey to the attacker, it's cryptographically useless to the attacker because a passkey is bound to a specific origin.

Because that opens you up for being phished.

True, but it also opens me up to using the same password on all machines I use. You can argue that’s a negative, but personally I like being able to add a new machine to my collection without worrying about who the vendor is.