Puzzleheaded_Egg6362

That's not what i meant. i mean if subdomain is hijacked then passkeys will work on xyz.google.com, then you're screwed too.

watch this video and read more. How terrifying it is!!

Passkeys wouldn't be a help either, if you're a victim of recent 'Microsoft Azure hosted subdomain hijacking'. Lets say you've enabled autofill before you know it.. you'll be authenticated as soon as you visit the Phishing site with the similar top level domain whether its password or even passkeys. It all comes down to what 2fa are you using.

By passkeys autofill i mean is, all it has to match is domain name and TLD to prompt for passkeys for that website (no subdomain). And as a user, i would think that's legitimate. Idk if passkeys will be used for autologin or not. But in rare scenario like in the Azure case i mentioned before, it is a loophole for Phishing attack. It affects over 30k domains then even passkeys fails there. Only 2fa will save you there.

And do you use double-blind password strategy, also known as "horcruxing", "password splitting", or "partial passwords" for yourself ? or you always store full passwords in Dashlane ? thanks

When do we see 'Passwordless login for Dashlane account' rolling out ?