@glyph Did you quote post something?
Uncategorized
903
Posts
312
Posters
0
Views
-
@aburka we need to replace passwords, and passkeys are a reasonable replacement for a lot of people, but the advocacy focus REALLY needs to shift from “hey users, cool feature alert, use passkeys everywhere!” to “hey website developers, standardize your fucking processes”. allow users to rehearse credential loss, set up successor accounts, ACTUALLY use passkeys as password replacements rather than bizarre MMMMFA security theater, and do it in legible ways common across all sites
@aburka if you actually want someone to explain passkeys to you I can do it, but I can only explain what the tech actually does and how sites are SUPPOSED to use it, not what the confused former intern at amazon or microsoft who implemented it for them before being immediately fired was thinking when they did that
-
#pluralistic describes it as the "fat-fingered economy" portion of surveillance capitalism.
They deliberately redesign interfaces to increase the changes of clicking on the wrong thing.
Linking phones to identities to laptops to home appliances to home addresses to email to bank accounts & credit cards to passports & driver's licenses...
Connecting games accounts to social media accounts to college accounts...
@Npars01 hmm. I was about to object, because the economic incentives don’t quite line up the same way here, but maybe it IS the same incentive structure, just … slanted weird, and deployed vastly more incompetently
-
@glyph *sigh* I am going to have to put up a rant one of these days about all the little annoying UX foot guns aren't I?
@cthos that will be useful, but, ultimately, https://mastodon.social/@glyph/115677038638322402
-
@aburka we need to replace passwords, and passkeys are a reasonable replacement for a lot of people, but the advocacy focus REALLY needs to shift from “hey users, cool feature alert, use passkeys everywhere!” to “hey website developers, standardize your fucking processes”. allow users to rehearse credential loss, set up successor accounts, ACTUALLY use passkeys as password replacements rather than bizarre MMMMFA security theater, and do it in legible ways common across all sites
@glyph I don't really think they're a reasonable replacement for a lot of people though!
You have to solve the "I dropped my phone in the toilet" problem, and the only way to solve that is syncing the passkeys to cloud storage, that is, a password manager. So passkeys offer zero advantages over existing technology.
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph i’m glad someone else is talking about this because the awfulness and unreliability of Microsoft’s login system—an inescapable part of the UI!—is insane.
-
@glyph I don't really think they're a reasonable replacement for a lot of people though!
You have to solve the "I dropped my phone in the toilet" problem, and the only way to solve that is syncing the passkeys to cloud storage, that is, a password manager. So passkeys offer zero advantages over existing technology.
@aburka okay, I guess I will explain then ;)
-
@aburka okay, I guess I will explain then ;)
@glyph I mean, you still have to onboard people to a password manager (one that supports passkeys). Otherwise you're setting them up to get locked out of their accounts the moment they change devices, which is actively malicious. And if you can get them to use a password manager, they can use fucking passwords to log in.
-
@aburka okay, I guess I will explain then ;)
@glyph I searched for "successor account" and got nothing, so please do
-
@glyph I mean, you still have to onboard people to a password manager (one that supports passkeys). Otherwise you're setting them up to get locked out of their accounts the moment they change devices, which is actively malicious. And if you can get them to use a password manager, they can use fucking passwords to log in.
@aburka so there are a couple of issues you're citing here, let me go through them one at a time:
> I dropped my phone
The degree to which the label "passkey" *requires* this is a matter of some debate, but functionally, when "passkey" became A Thing as opposed to 'webauthn soft credential' was when the platform providers (google, microsoft, apple) all added E2E encrypted synchronization of passkeys, integrated with their native password managers.
-
@aburka so there are a couple of issues you're citing here, let me go through them one at a time:
> I dropped my phone
The degree to which the label "passkey" *requires* this is a matter of some debate, but functionally, when "passkey" became A Thing as opposed to 'webauthn soft credential' was when the platform providers (google, microsoft, apple) all added E2E encrypted synchronization of passkeys, integrated with their native password managers.
@aburka If you "use passkeys" as a normal person, even with something like 1password, there's a recovery path, even if you have only a single device. For example, the way that this works with Apple is that you drop your phone in a toilet, then when you get a new phone, you enter the *device passphrase for the old phone* to decrypt your iCloud Keychain locally, and it syncs down from the cloud. This doesn't work with Advanced Data Protection, but that is very much opt-in.
-
@glyph I searched for "successor account" and got nothing, so please do
@glyph (heads up, it's way past my bedtime, so I'm gonna be eagerly reading your replies... tomorrow)
-
@cthos that will be useful, but, ultimately, https://mastodon.social/@glyph/115677038638322402
-
@glyph (heads up, it's way past my bedtime, so I'm gonna be eagerly reading your replies... tomorrow)
> passkeys offer zero advantages over existing technology
what passkeys offer is cryptographic resistance to replay attacks. If you have a password, even if you have a TOTP code, you can be tricked into sharing it with an attacker, and the attacker can "replay" it back to the original site, taking over your account. The way they achieve this is that "the HTTPS domain name of the site that's asking" is baked into the key exchange; an attacker cannot trick your browser that way
-
> passkeys offer zero advantages over existing technology
what passkeys offer is cryptographic resistance to replay attacks. If you have a password, even if you have a TOTP code, you can be tricked into sharing it with an attacker, and the attacker can "replay" it back to the original site, taking over your account. The way they achieve this is that "the HTTPS domain name of the site that's asking" is baked into the key exchange; an attacker cannot trick your browser that way
@aburka most password managers are relatively careful now about places where they will autofill, and the UX is getting more resistant to exfiltrating a credential to the wrong site is getting harder all the time, but it remains *very* easy to circumvent that process, and the amount of social engineering required to fluster a spear-phishing target—even a very security-savvy one—to the point where they'll just open their password manager and manually copy/paste is *shockingly* low
-
Two things.
1) Who is there bullying developers to boycott it? WTF?!? That sounds a bit extreme considering the platform is getting more and more annoying to use all by itself by the day...
2) I'm surprised that Microsoft hasn't forced GitHub to use Azure AD for Authentication by now too...
3) I think all of it is a fair punishment for parents being Microsoft's accomplice in dragging their children into their ecosystem and allowing them to submit to their marketing.
-
@aburka most password managers are relatively careful now about places where they will autofill, and the UX is getting more resistant to exfiltrating a credential to the wrong site is getting harder all the time, but it remains *very* easy to circumvent that process, and the amount of social engineering required to fluster a spear-phishing target—even a very security-savvy one—to the point where they'll just open their password manager and manually copy/paste is *shockingly* low
@aburka re: "successor account" I am just referring to features like this https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/repository-access-and-collaboration/maintaining-ownership-continuity-of-your-personal-accounts-repositories and this https://support.apple.com/en-us/102631 and this https://myaccount.google.com/inactive
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph Because nothing else worked I had to activate Win11 by reading 20 sets of 6-digit numbers/letters to a chat-bot, which repeatet every set to make sure it understood correctly. 20 minutes of yelling a random wordsalad at your phone while everyone around you laughs manically is hard and a bit humiliating. It is nothing compared to your experience, but goes to show that fucking around with users is intentional.
-
@aburka re: "successor account" I am just referring to features like this https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/repository-access-and-collaboration/maintaining-ownership-continuity-of-your-personal-accounts-repositories and this https://support.apple.com/en-us/102631 and this https://myaccount.google.com/inactive
@aburka basically when you manage your credentials on a website, you actually need to understand edge cases like "how does this website decide if I'm dead so they know when to release my data to my heirs" or "what 'reset' credentials can completely obviate all security on this account". like if you're setting up super hardcore device-bound passkey MFA for some site, but actually a simple simjacking attack can grab a "reset" SMS, it's important to *know* htat
-
@aburka basically when you manage your credentials on a website, you actually need to understand edge cases like "how does this website decide if I'm dead so they know when to release my data to my heirs" or "what 'reset' credentials can completely obviate all security on this account". like if you're setting up super hardcore device-bound passkey MFA for some site, but actually a simple simjacking attack can grab a "reset" SMS, it's important to *know* htat
@aburka you can't understand all that stuff if you can't rehearse it, and you should not need to *re-learn it* for every single website you have to have an account with in order to buy microtransaction tokens for a game your kid plays
-
@nik @agowa338 speaking from personal experience, let me just assure you that "become the enemy of joy" is not a great way to win people over to the cause of free software. I would also encourage you to learn about parents' only realistic alternative to Minecraft in terms of all-ages gameplay; the title may give you some idea of why I prefer the devil I know in Microsoft in this case: https://hindenburgresearch.com/roblox/
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@Sirchrism le consultazioni sono uno strumento frequentemente adottato dall'Unione
-
@rl_dane I once dropped my work Thinkpad down two flights of concrete stairs. Still worked. They're indestructible. 🔥
-
Messaggio in codice da Qaanaaq
-
Avete fatto bene ad accendere i caloriferi...
.
#caturday #CatsOfMastodon #Miagolina
-
@poleguy yes, ty! In real time wasd control.
On video below it’s how I see it on pc screen (with actual audio).
-
@js wow, that's *TurboTax*?
-
@ut3usw that's fun. Are you controlling/calculating this in real time?
-
@gmarcosanti buona come la focaccia ligure?
