Last I checked hooking key events in Windows requires SYSTEM access. Stealing session tokens can be as easy as just pulling the entire browser profile, which I doubt requires elevated access. I imagine black market…
So... Nothing apart from some convoluted anecdote? If currently there's no password manager in existence that doesn't let you override the plaintext password extraction / override feature, there's nothing to stop one…
> since the autofill is not 100% reliable, it's not that unusual to go into the password store and manually get the password out of there. I imagine you can extract passwords out of security keys in some form without…
If your host is infected with malware but it can't steal your passwords due to hardware boundaries, it still has access to your host at a pretty reasonable permission level. In most corporate environments that's far…
If you're trying to prevent credential theft: Educate users on password managers, deploying 2FA, or tokens like this would also make sense. MFA deployments are probably significantly cheaper though (And yes,…
If malware is in a position to steal data from your clipboard or keylog your device, it's very likely to be in a position to hijack your session tokens.
Browser based password managers solve this.
Unpopular opinion: These keys are about selling the idea that physical-based security is somehow magically better. If you have good password hygene (read: a decent password manager) then I'll need to breach your host to…
Last I checked hooking key events in Windows requires SYSTEM access. Stealing session tokens can be as easy as just pulling the entire browser profile, which I doubt requires elevated access. I imagine black market…
So... Nothing apart from some convoluted anecdote? If currently there's no password manager in existence that doesn't let you override the plaintext password extraction / override feature, there's nothing to stop one…
> since the autofill is not 100% reliable, it's not that unusual to go into the password store and manually get the password out of there. I imagine you can extract passwords out of security keys in some form without…
If your host is infected with malware but it can't steal your passwords due to hardware boundaries, it still has access to your host at a pretty reasonable permission level. In most corporate environments that's far…
If you're trying to prevent credential theft: Educate users on password managers, deploying 2FA, or tokens like this would also make sense. MFA deployments are probably significantly cheaper though (And yes,…
If malware is in a position to steal data from your clipboard or keylog your device, it's very likely to be in a position to hijack your session tokens.
Browser based password managers solve this.
Unpopular opinion: These keys are about selling the idea that physical-based security is somehow magically better. If you have good password hygene (read: a decent password manager) then I'll need to breach your host to…