普通人的通行密钥

Let me start by very simply explaining the problem we're trying to solve with passkeys. Imagine you're logging on to a website like this:

让我简单地解释一下我们试图通过密码密钥解决的问题。想象一下，您正在登录一个像这样的网页：

And, because you want to protect your account from being logged into by someone else who may obtain your username and password, you've turned on two-factor authentication (2FA). That means that even after entering the correct credentials in the screen above, you're now prompted to enter the six-digit code from your authenticator app:

而且，因为你想保护你的账户不被可能获得你的用户名和密码的其他人登录，所以你启用了双因素认证（2FA）。这意味着即使在上面的屏幕中输入了正确的凭据，你现在也会被提示输入来自身份验证应用的六位数代码：

There are a few different authenticator apps out there, but what they all have in common is that they display a one-time password (henceforth referred to as an OTP) with a countdown timer next to it:

有几种不同的身份验证应用程序，但它们的共同点是它们会显示一个一次性密码（以下简称 OTP），旁边有一个倒计时计时器：

By only being valid for a short period of time, if someone else obtains the OTP then they have a very short window in which it's valid. Besides, who can possibly obtain it from your authenticator app anyway?! Well... that's where the problem lies, and I demonstrated this just recently, not intentionally, but rather entirely by accident when I fell victim to a phishing attack. Here's how it worked:

由于仅在短时间内有效，如果其他人获得了 OTP，那么他们有一个 非常 短的窗口期可以使用。此外，谁能从你的身份验证应用中获得它呢？！好吧……这就是问题所在，我最近就演示了这一点，并不是故意的，而是完全意外地当 我成为了钓鱼攻击的受害者。事情是这样运作的：

1. I was socially engineered into visiting a phishing page that pretended to belong to Mailchimp who I use to send newsletters for this blog. The website address was mailchimp-sso.com, which was close enough to the real address (mailchimp.com) to be feasible. "SSO" is "single sign on", so also seemed feasible.
2. 我被社会工程学诱导访问了一个假冒 Mailchimp 的钓鱼页面，我使用 Mailchimp 来发送这个博客的新闻通讯。该网站地址是 mailchimp-sso.com，足够接近真实地址（mailchimp.com），以至于看起来可行。“SSO”是“单点登录”，所以也似乎可行。
3. When I saw the login screen (the one with the big "PHISH" stamp on it), and submitted my username and password to them, the phishing site then automatically used those credentials to begin t...