Passkeys will require another factor soon @ OWASP
44 views
Skip to first unread message
Andrew van der Stock
Nov 15, 2024, 10:56:13 AM11/15/24
to Dirk Wetter, Leaders
Hi Dirk,
Passkeys remain available as a login option once you enroll in MFA. I have MFA on all the things, and I use passkeys for all my GSuite accounts every single day.
thanks,
Andrew
--
You received this message because you are subscribed to the Google Groups "Leaders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to leaders+u...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/009F5FE0-954B-4F43-998B-1775CCE00225%40owasp.org.
--
OWASP Volunteer
Send me encrypted mails (Key ID 0x4D9CA7F2E2FA20B3)
--
You received this message because you are subscribed to the Google Groups "Leaders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to leaders+u...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/009F5FE0-954B-4F43-998B-1775CCE00225%40owasp.org.
Dirk Wetter
Nov 15, 2024, 11:24:45 AM11/15/24
to Andrew van der Stock, Leaders
Hi Andrew,
thanks, maybe we misunderstood each other? My point being there should be no reason using passkey plus MFA. Passkey only is fine.
The private key is on a hardware device and in practise there is no attack vector to retrieve that key. Moreover and importantly —that’s why probably MFA should be used ehre —passkeys are safe against phishing, other than e.g. TOTP .
So if there’s a possibility to exclude passkeys in the MFA policy in GSuite for OWASP that would much appreciated.
Thanks, Dirk
thanks, maybe we misunderstood each other? My point being there should be no reason using passkey plus MFA. Passkey only is fine.
The private key is on a hardware device and in practise there is no attack vector to retrieve that key. Moreover and importantly —that’s why probably MFA should be used ehre —passkeys are safe against phishing, other than e.g. TOTP .
So if there’s a possibility to exclude passkeys in the MFA policy in GSuite for OWASP that would much appreciated.
Thanks, Dirk
Grant Ongers (OWASP)
Nov 15, 2024, 1:03:32 PM11/15/24
to Dirk Wetter, Andrew van der Stock, Leaders
I think Google considers Passkey to be a form of MFA for policy purposes.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/EC104CB4-112A-4D51-8C7C-E72CED8E50CE%40owasp.org.
    |
|
Andrew van der Stock
Nov 15, 2024, 1:25:33 PM11/15/24
to Leaders, Grant Ongers, Andrew van der Stock, Leaders, dirk
Google considers passkeys and passwords to be equivalent, even though passkeys are far better in every way. They are a single factor still (something you have).
I don't have a choice to opt folks out of Google MFA if they have passkeys. So I've given everyone until the end of the year to sign up for MFA. I'll increase our comms to our members and on social media.
thanks,
Andrew
Andrew
Bil Corry - Treasurer
Nov 15, 2024, 1:28:07 PM11/15/24
to Andrew van der Stock, Leaders, Grant Ongers, dirk
Google won't ask for 2FA if using a passkey, but probably requires you to enroll a 2FA.
This screenshot is from the Google 2FA enrollment page (https://myaccount.google.com/signinoptions/twosv) and says the same thing:
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/9ec2bcdb-ff01-4d05-bd4b-88852be7dc53n%40owasp.org.
Dirk Wetter
Nov 17, 2024, 8:07:33 AM11/17/24
to Bil Corry - Treasurer, Andrew van der Stock, Leaders, Grant Ongers
Hi guys,
ok, after enabling another factor my passkey login worked without prompting further --so far .
Thanks, guys!
Dirk
> Am 15.11.2024 um 19:27 schrieb Bil Corry - Treasurer <bil....@owasp.org>:
>
> Google won't ask for 2FA if using a passkey, but probably requires you to enroll a 2FA.
>
> This screenshot is from the Google 2FA enrollment page (https://myaccount.google.com/signinoptions/twosv) and says the same thing:
>
ok, after enabling another factor my passkey login worked without prompting further --so far .
Thanks, guys!
Dirk
> Am 15.11.2024 um 19:27 schrieb Bil Corry - Treasurer <bil....@owasp.org>:
>
> Google won't ask for 2FA if using a passkey, but probably requires you to enroll a 2FA.
>
> This screenshot is from the Google 2FA enrollment page (https://myaccount.google.com/signinoptions/twosv) and says the same thing:
>
> <image.png>
>
> On Fri, Nov 15, 2024 at 11:25 AM 'Andrew van der Stock' via Leaders <lea...@owasp.org> wrote:
> Google considers passkeys and passwords to be equivalent, even though passkeys are far better in every way. They are a single factor still (something you have).
>
> I don't have a choice to opt folks out of Google MFA if they have passkeys. So I've given everyone until the end of the year to sign up for MFA. I'll increase our comms to our members and on social media.
>
>
> On Fri, Nov 15, 2024 at 11:25 AM 'Andrew van der Stock' via Leaders <lea...@owasp.org> wrote:
> Google considers passkeys and passwords to be equivalent, even though passkeys are far better in every way. They are a single factor still (something you have).
>
> I don't have a choice to opt folks out of Google MFA if they have passkeys. So I've given everyone until the end of the year to sign up for MFA. I'll increase our comms to our members and on social media.
>
> Grant Ongers
> Co-Lead | OWASP Cornucopia Project
> Co-Lead | OWASP OWASP PSCF
> OWASP Compliance Officer
> F164 738F 16BF FDBF F0B6 5720 C986 8AF7 5F41 97BE
>
> --
> You received this message because you are subscribed to the Google Groups "Leaders" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to leaders+u...@owasp.org.
> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/9ec2bcdb-ff01-4d05-bd4b-88852be7dc53n%40owasp.org.
> Co-Lead | OWASP Cornucopia Project
> Co-Lead | OWASP OWASP PSCF
> OWASP Compliance Officer
> F164 738F 16BF FDBF F0B6 5720 C986 8AF7 5F41 97BE
>
> --
> You received this message because you are subscribed to the Google Groups "Leaders" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to leaders+u...@owasp.org.
> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/9ec2bcdb-ff01-4d05-bd4b-88852be7dc53n%40owasp.org.
Reply all
Reply to author
Forward
0 new messages