Question for the smarter/more experienced people than me, would a hardware key help with this sort of thing? I know they’re not available everywhere and you essentially need two (or like a safe with your backup password), but I’m curious if those are just like… better.
It depends on what you mean by better. A hardware token, unlike a passkey, isn’t tied to any specific device, but both a device and a hardware key can be lost. Also not every platform supports them, but I know Yubikeys at least can be used with their own authenticator app in those cases usually.
Ideally each account should be secured by multiple different factors. A passkey or hardware token are both things you have; a biometric is something you are. It’s usually better to use one from each category (i.e. a biometric plus hardware token), rather than two of the same (hardware token plus passkey).
Of course, there still are ways around MFA, such as session and token hijacking (basically why you want to be very careful when using single sign-on, or SSO, as well as the “remember me” button). Artificial intelligence models will only make these types of attacks, as well as many others, easier.
Question for the smarter/more experienced people than me, would a hardware key help with this sort of thing? I know they’re not available everywhere and you essentially need two (or like a safe with your backup password), but I’m curious if those are just like… better.
It depends on what you mean by better. A hardware token, unlike a passkey, isn’t tied to any specific device, but both a device and a hardware key can be lost. Also not every platform supports them, but I know Yubikeys at least can be used with their own authenticator app in those cases usually.
Ideally each account should be secured by multiple different factors. A passkey or hardware token are both things you have; a biometric is something you are. It’s usually better to use one from each category (i.e. a biometric plus hardware token), rather than two of the same (hardware token plus passkey).
Of course, there still are ways around MFA, such as session and token hijacking (basically why you want to be very careful when using single sign-on, or SSO, as well as the “remember me” button). Artificial intelligence models will only make these types of attacks, as well as many others, easier.