The answer to most questions about passkeys is "it depends on how your OS, your browser, and your service providers implement it".

But if prior art teaches us anything, the answer to that answer may be "it will be done in the least convenient and least interoperable way"

— lcamtuf (@lcamtuf) October 17, 2024

In case you missed it, it's possible to go directly from unauthenticated to DC password. Coerce the DC auth and crack the hash or relay to another DC. Here's a sloppy demo I did last year. High five for the assist @Bandrel https://t.co/3GOHsmVRj0 https://t.co/UQSQ5qLchU

— Tech Brandon (@TechBrandon) October 16, 2024

Microsoft has been running massive deception campaigns that flood new phishing sites with bogus credentials for bogus companies on MS tenants. When attackers log in, they deliver a torrent of fresh threat intelligence that can be used to defend: #infosec https://t.co/hFqljCGndq

— Jeremy Kirk (@jkirk@infosec.exchange) (@Jeremy_Kirk) October 17, 2024

Software liability comes to the EU.

The new EU liability law extends the definition of “defective products” to include software, holding manufacturers accountable for harm caused by software vulnerabilities.

If a software flaw leads to damage, manufacturers can now be held…

— Weld Pond | Chris Wysopal (@WeldPond) October 16, 2024

Microsoft has open sourced its new cross-platform virtual machine layer written in Rust: https://t.co/RtHaf3oDx5 From many of the same team who created WSL, including @benhillis.

— Hayden Barnes (@unixterminal) October 16, 2024