So here's what stops me from using Passkeys.
Uncategorized
20
Posts
9
Posters
0
Views
-
@mcc attestation is optional and bitwarden afaik doesn't implement it anyway
@leo @q Huh that's worrying though because some of the sites I would like to sign into with via passkeys are companies (Google, Microsoft) who own and are actively trying to lock me into "software signing" ecosystems. So if attested keys are optional now, but could become non-optional in future, then that looks like a plausible future screw-turn for Google or Microsoft to attempt.
-
@leo @q Huh that's worrying though because some of the sites I would like to sign into with via passkeys are companies (Google, Microsoft) who own and are actively trying to lock me into "software signing" ecosystems. So if attested keys are optional now, but could become non-optional in future, then that looks like a plausible future screw-turn for Google or Microsoft to attempt.
-
So here's what stops me from using Passkeys.
- I want Passkeys.
- I want to use "BitWarden".
- BitWarden can use passkeys on all my platforms incl Android.
- However, I do not install BitWarden on all my computers, because I don't trust some of them to hold my BitWarden vault.
- This means I have to have a way of "airgapping" the passkey— some way of using a passkey on a phone, is a computer.
- The ONLY way to do this the FIDO Alliance allows requires Bluetooth.
- My computer doesn't have that.I sometimes wonder if I want passkeys, but as far as I understand, they provide convenience at cost of security.
A proper random password kept in a password manager combined with U2F/TOTP on a separate device is more secure, because you have two independent factors for login (and the password manager and U2F provide the anti-phishing so beloved by FIDO alliance).
With passkey, you really have one - the password manager with the passkey.
But it is more convenient than using a password manager and an U2F token.
-
@leo @q Huh that's worrying though because some of the sites I would like to sign into with via passkeys are companies (Google, Microsoft) who own and are actively trying to lock me into "software signing" ecosystems. So if attested keys are optional now, but could become non-optional in future, then that looks like a plausible future screw-turn for Google or Microsoft to attempt.
@mcc @leo @q There is already an open source passkey implementation. https://github.com/google/OpenSK it uses CTAP (the FIDO alliance standard "Client to Authenticator Protocol". It is implemented as a separate hardware device, but there's no reason a virtual USB HID device could not do the same.
-
i'm thinking about the future
GitHub banned TOTP a few months ago with *one single weekend* of advance notice. They apparently are willing to move that quick.
-
I sometimes wonder if I want passkeys, but as far as I understand, they provide convenience at cost of security.
A proper random password kept in a password manager combined with U2F/TOTP on a separate device is more secure, because you have two independent factors for login (and the password manager and U2F provide the anti-phishing so beloved by FIDO alliance).
With passkey, you really have one - the password manager with the passkey.
But it is more convenient than using a password manager and an U2F token.
@Leszek_Karlik A password is less safe than a passkey because it can be MITMed and reused. On entry it can be stolen if your computer is compromised or there's a camera watching you type. On receipt, it can be exfiltrated if the web server or its edge server is compromised.
Now, random PW+TOTP as you say, that looks more appealing the more I see how passkeys turned out. But with passkeys in the world TOTP support may not be an option in future (GitHub recently put hard restrictions on TOTP use)
-
@Leszek_Karlik A password is less safe than a passkey because it can be MITMed and reused. On entry it can be stolen if your computer is compromised or there's a camera watching you type. On receipt, it can be exfiltrated if the web server or its edge server is compromised.
Now, random PW+TOTP as you say, that looks more appealing the more I see how passkeys turned out. But with passkeys in the world TOTP support may not be an option in future (GitHub recently put hard restrictions on TOTP use)
@Leszek_Karlik There was a period of some *years* that Twitter was, due to a "mistake"¹, logging every password as it came in from the login page, to a plaintext log file no one² realized was there. This single incident to me proves we want negotiate-shared-secret, not password-transmit, login protocols.
https://blog.x.com/official/en_us/topics/company/2018/keeping-your-account-secure.html
¹ IMO the chances are exceedingly high the "mistake" was inserted on purpose by an employee working on behalf of a nation-state actor
² Except the nation state actor.
-
@Leszek_Karlik There was a period of some *years* that Twitter was, due to a "mistake"¹, logging every password as it came in from the login page, to a plaintext log file no one² realized was there. This single incident to me proves we want negotiate-shared-secret, not password-transmit, login protocols.
https://blog.x.com/official/en_us/topics/company/2018/keeping-your-account-secure.html
¹ IMO the chances are exceedingly high the "mistake" was inserted on purpose by an employee working on behalf of a nation-state actor
² Except the nation state actor.
@mcc we've had perfectly good solutions for this for ages. Kerberos tickets and client X.509 certs work great when you have a centralized authentication authority. SCRAM works great for one-off individual sites. https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism
There's no reason for anyone to be sending passwords over the wire any more, but also these all still work without eliminating passwords completely.
-
-
@mcc The weird part for me here - *npm*, owned by GitHub, banned TOTP. GitHub, as far as I can tell, didn't. (It's still available in the UI and the docs have no warnings telling you not to use it.) So I suppose I can conclude that TOTP is insecure when you use it for npm and not when you use it for GitHub, according to Microsoft. https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication
-
@ryanprior @leo @q I was incorrect. Straight up incorrect.
It was NPM that did it. Source:
https://digipres.club/@misty/115664180577700824
My sense was that they did this as a panic response to a single NPM supply chain attack incident.
-
@ryanprior @leo @q I was incorrect. Straight up incorrect.
It was NPM that did it. Source:
https://digipres.club/@misty/115664180577700824
My sense was that they did this as a panic response to a single NPM supply chain attack incident.
-
undefined oblomov@sociale.network shared this topic
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@anominominominous @kigen c'è un dominio sul? Nop.
-
@evan about 40 on a 10yo desktop.
Zero on a client-provided laptop, although I did draw on it with a sharpie to mark which USB-C connector is for power and which is for "everything else"
-
@dancingtreefrog where do you put your stickers, then?
-
@gwcoffey it took me a while to realize you wish you were a "sticker person"
-
Dentist Unwrapped: sends you photos of all your cavities in 2025
-
-
OK, I made burbara tonight for St. Barbara's Day. It came out really good. It's a traditional dish for Middle Eastern Greeks and Arab Christians. It's made of wheat berries soaked and boiled for hours, then spiced with fennel, cinnamon, star anise, nutmeg and cloves. It's topped with nuts and pomegranate seeds, and given to kids on St. Barbara's Day. It is intense and exotic; just what we needed on a cold Montreal night.
-
hello beauty full moon
