What does HackerNews think of evilginx2?

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

Language: Go

No, if you break into a site using passkeys, it gives you literally zero information that can be used to authenticate as any of the users. Think about the prevalence of data breaches in the past decade, and the sharp rise in the effectiveness of password stuffing, and think about why this change might be a good idea.

Also even with traditional 2FA, TOTP can be phished. See https://github.com/kgretzky/evilginx2

WebAuthn almost entirely eliminates phishing risk (at least with respect to credential harvesting), and Passkeys are a really nice, clean UX for using WebAuthn.

> The way I use passwords is way safer than Keyri

I don't see how that is possible.

(1) Keyri private keys cannot be stolen other than through smartphone malware, which is exceedingly rare, while password managers and older USB keys are vulnerable to desktop malware, which is much more common - both credential stealers and, in the case of older generations of Yubikeys, keyloggers. Hardware OTP devices are additionally vulnerable man-in-the-middle phishing attacks (though the HN audience is generally savvy enough to not fall for phishing) - https://github.com/kgretzky/evilginx2.

(2) As long as you rely on passwords and TOTP, you're relying on the shared secret paradigm and trusting the relying party to handle your credentials properly. If the relying party's credential store is breached and the credentials were improperly stored (common even today), your credentials (both your password and OTP secrets) can be used by a bad actor to access your account. Public key systems like Keyri and FIDO2 substantially reduce this risk.

> As I said in a comment below, the fact that companies "can afford" is not the same as "it's worth it" to them

Please see my response below regarding account sharing. In short, eliminating account sharing in order to enforce TOS is an opportunity to (a) improve security (b) improve UX in cases where provisioning multiple users access to one account is warranted.

> Finally, with OpenID, I can set up my own identity provider, or use a privacy conscious one.

As you note, the vast majority of web services don't support arbitrary identity providers or use privacy conscious ones. History has proven that people don't set up their own identity provider. Additionally, the universe of "privacy conscious" OIDC providers is limited (non-existent?).

Login on desktop happens through scanning a QR code on the service's login page using the service's app. On a mobile device, logging in happens by tapping a button and being verified by biometrics (FaceID etc.) or a passcode (if enabled by the developer).

TOTP is an objectively worse UX - first you type in your username, then password, then open your phone, open the relevant app, read the code, and type in the code before it expires. With Keyri, you open the relevant app, tap a "scan" UI element, and point it at your screen. No typing, memorization, or race against the clock. Also, with TOTP, you're pulling out your phone and navigating to a specific app anyway, so I don't understand your UX objection. I'm also struggling to picture a situation in which a laptop or other device has connectivity but a phone does not. Presumably the laptop is on a WiFi network that the phone can also connect to. If the laptop is using some sort of satellite connection module, that module and/or laptop can fire up a hotspot. This connectivity problem would also arise in the push notification solution you propose in the next sentence.

Push notification solutions ("prompts") are defeatable using trivial man-in-the-middle phishing techniques. For example: https://github.com/kgretzky/evilginx2. Authenticator-initiated authentication solutions with two-way authentication like Keyri eliminate phishing.

Yeah most phishing attacks can't auto login, but there is an open source tool for doing it:

https://github.com/kgretzky/evilginx2

2FA is important of course, but it is in no way a panacea. Especially SMS or TOTP MFA. It is near-trivial to add a phase to phishing that captures the second factor as well. Tools like https://github.com/kgretzky/evilginx2 support it out-of-the-box.
Yubikeys are one of the few forms of 2FA that are highly resilient to being phished. Google has not only an option to restrict SMS 2FA, but an additional one below to restrict “all 2FA options except security keys” in GSuite.

It has been known for some time that TOTP 6 digit codes are easy to intercept. SMS Codes can also be intercepted, or gained via SSB7 vulns/ SIM jacking. This made things like Google Authenticator or Authy more resilient but certainly still quite vulnerable.

To intercept and exploit MFA in ProtonMail would absolutely trivial for a skilled single person to do. DNS poisoning + this github library would be all you needed: https://github.com/kgretzky/evilginx2

EDIT: replaced quotemark with asterisk