@glyph Did you quote post something?
Uncategorized
903
Posts
312
Posters
0
Views
-
@glyph encountering a passkey on an iPhone is a way better experience than encountering it on windows. Even still the UX is a giant mess across the ecosystem.
(Insert rant about discoverable keys)
I do hope we sort this out, but it feels like an uphill battle
@cthos this whole experience was on apple devices but there is only so much that can be mitigated
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph this is why I try my best to avoid anything made by Microsoft. It's not just authentication system, EVERYTHING they do is like that
-
@cthos this whole experience was on apple devices but there is only so much that can be mitigated
@glyph *sigh* I am going to have to put up a rant one of these days about all the little annoying UX foot guns aren't I?
-
if this is how most people encounter passkeys it’s no wonder that they fucking hate them. it feels like getting tricked. because it is getting tricked. I was tricked
#pluralistic describes it as the "fat-fingered economy" portion of surveillance capitalism.
They deliberately redesign interfaces to increase the changes of clicking on the wrong thing.
Linking phones to identities to laptops to home appliances to home addresses to email to bank accounts & credit cards to passports & driver's licenses...
Connecting games accounts to social media accounts to college accounts...
-
@glyph my experience of using passkeys is that if by fantastical chance every single element of the software stack I'm using is compatible, then I'll randomly get a pop-up asking if I want to log in with a passkey instead of having my password manager autofill the password. There's no time savings. And it still wants a six digit code afterwards.
Last week one of my accounts, which previously did the passkey prompt, started instead prompting my to "touch my Yubikey". I don't have a Yubikey. I've never used a Yubikey for any account. But there's no option to click to contradict the software's assumptions. (Also, most users would have absolutely no idea what a Yubikey is or why you would touch one.)
My experience of using passkeys is strictly worse than a normal password manager. Plus, it's easy to understand how a password works, whereas it seems like I'm not allowed to understand passkeys, or at least nobody is interested in trying to explain it to build user confidence that they're secure, you're just expected to believe in the magic. Engineers who have only ever used top-of-the-line Apple products and never shared devices with another person took a formidable problem (password reuse) and invented a treatment that is significantly worse than the disease.
@aburka on some level I disagree, in that the infrastructure in the browser, the cloud services, the client devices etc is all tremendously valuable. (it’s not really designed for “time savings”, particularly not for people already using password managers, but for increased security for those who aren’t). I don’t want the baby thrown out with the bathwater here.
-
@aburka on some level I disagree, in that the infrastructure in the browser, the cloud services, the client devices etc is all tremendously valuable. (it’s not really designed for “time savings”, particularly not for people already using password managers, but for increased security for those who aren’t). I don’t want the baby thrown out with the bathwater here.
@aburka but I must concede that the overall, systemic effect, particularly once RPs are taken into account, is a roiling disaster. prompting for a username, a password, a passkey AND a TOTP (or even worse, email or SMS) code is confused to the point of incapacity. Complete cryptogibberish, probably less secure than what it’s replacing.
-
@aburka but I must concede that the overall, systemic effect, particularly once RPs are taken into account, is a roiling disaster. prompting for a username, a password, a passkey AND a TOTP (or even worse, email or SMS) code is confused to the point of incapacity. Complete cryptogibberish, probably less secure than what it’s replacing.
@aburka we need to replace passwords, and passkeys are a reasonable replacement for a lot of people, but the advocacy focus REALLY needs to shift from “hey users, cool feature alert, use passkeys everywhere!” to “hey website developers, standardize your fucking processes”. allow users to rehearse credential loss, set up successor accounts, ACTUALLY use passkeys as password replacements rather than bizarre MMMMFA security theater, and do it in legible ways common across all sites
-
@aburka we need to replace passwords, and passkeys are a reasonable replacement for a lot of people, but the advocacy focus REALLY needs to shift from “hey users, cool feature alert, use passkeys everywhere!” to “hey website developers, standardize your fucking processes”. allow users to rehearse credential loss, set up successor accounts, ACTUALLY use passkeys as password replacements rather than bizarre MMMMFA security theater, and do it in legible ways common across all sites
@aburka if you actually want someone to explain passkeys to you I can do it, but I can only explain what the tech actually does and how sites are SUPPOSED to use it, not what the confused former intern at amazon or microsoft who implemented it for them before being immediately fired was thinking when they did that
-
#pluralistic describes it as the "fat-fingered economy" portion of surveillance capitalism.
They deliberately redesign interfaces to increase the changes of clicking on the wrong thing.
Linking phones to identities to laptops to home appliances to home addresses to email to bank accounts & credit cards to passports & driver's licenses...
Connecting games accounts to social media accounts to college accounts...
@Npars01 hmm. I was about to object, because the economic incentives don’t quite line up the same way here, but maybe it IS the same incentive structure, just … slanted weird, and deployed vastly more incompetently
-
@glyph *sigh* I am going to have to put up a rant one of these days about all the little annoying UX foot guns aren't I?
@cthos that will be useful, but, ultimately, https://mastodon.social/@glyph/115677038638322402
-
@aburka we need to replace passwords, and passkeys are a reasonable replacement for a lot of people, but the advocacy focus REALLY needs to shift from “hey users, cool feature alert, use passkeys everywhere!” to “hey website developers, standardize your fucking processes”. allow users to rehearse credential loss, set up successor accounts, ACTUALLY use passkeys as password replacements rather than bizarre MMMMFA security theater, and do it in legible ways common across all sites
@glyph I don't really think they're a reasonable replacement for a lot of people though!
You have to solve the "I dropped my phone in the toilet" problem, and the only way to solve that is syncing the passkeys to cloud storage, that is, a password manager. So passkeys offer zero advantages over existing technology.
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph i’m glad someone else is talking about this because the awfulness and unreliability of Microsoft’s login system—an inescapable part of the UI!—is insane.
-
@glyph I don't really think they're a reasonable replacement for a lot of people though!
You have to solve the "I dropped my phone in the toilet" problem, and the only way to solve that is syncing the passkeys to cloud storage, that is, a password manager. So passkeys offer zero advantages over existing technology.
@aburka okay, I guess I will explain then ;)
-
@aburka okay, I guess I will explain then ;)
@glyph I mean, you still have to onboard people to a password manager (one that supports passkeys). Otherwise you're setting them up to get locked out of their accounts the moment they change devices, which is actively malicious. And if you can get them to use a password manager, they can use fucking passwords to log in.
-
@aburka okay, I guess I will explain then ;)
@glyph I searched for "successor account" and got nothing, so please do
-
@glyph I mean, you still have to onboard people to a password manager (one that supports passkeys). Otherwise you're setting them up to get locked out of their accounts the moment they change devices, which is actively malicious. And if you can get them to use a password manager, they can use fucking passwords to log in.
@aburka so there are a couple of issues you're citing here, let me go through them one at a time:
> I dropped my phone
The degree to which the label "passkey" *requires* this is a matter of some debate, but functionally, when "passkey" became A Thing as opposed to 'webauthn soft credential' was when the platform providers (google, microsoft, apple) all added E2E encrypted synchronization of passkeys, integrated with their native password managers.
-
@aburka so there are a couple of issues you're citing here, let me go through them one at a time:
> I dropped my phone
The degree to which the label "passkey" *requires* this is a matter of some debate, but functionally, when "passkey" became A Thing as opposed to 'webauthn soft credential' was when the platform providers (google, microsoft, apple) all added E2E encrypted synchronization of passkeys, integrated with their native password managers.
@aburka If you "use passkeys" as a normal person, even with something like 1password, there's a recovery path, even if you have only a single device. For example, the way that this works with Apple is that you drop your phone in a toilet, then when you get a new phone, you enter the *device passphrase for the old phone* to decrypt your iCloud Keychain locally, and it syncs down from the cloud. This doesn't work with Advanced Data Protection, but that is very much opt-in.
-
@glyph I searched for "successor account" and got nothing, so please do
@glyph (heads up, it's way past my bedtime, so I'm gonna be eagerly reading your replies... tomorrow)
-
@cthos that will be useful, but, ultimately, https://mastodon.social/@glyph/115677038638322402
-
@glyph (heads up, it's way past my bedtime, so I'm gonna be eagerly reading your replies... tomorrow)
> passkeys offer zero advantages over existing technology
what passkeys offer is cryptographic resistance to replay attacks. If you have a password, even if you have a TOTP code, you can be tricked into sharing it with an attacker, and the attacker can "replay" it back to the original site, taking over your account. The way they achieve this is that "the HTTPS domain name of the site that's asking" is baked into the key exchange; an attacker cannot trick your browser that way
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@ulisse62
e cambiare i criteri di nomina della Corte suprema + attribuirle formalmente il vaglio di costituzionalitá, cosa che adesso si è auto attribuita
-
@futurebird Don't laugh too hard. I wouldn't put it past Zuckerberg to integrate "nudification AI" features into his glasses. Every time another INCEL looks at a woman it consumes enough energy to power a home for a month.
-
@futurebird scam‽ I want my 25¢ back!
-
All I can think of is those scam "X-ray glasses" from the back of the comic books.
-
@quinta di sicuro se gli USA vogliono riacquistare credibilità devono togliere un bel po' di potere al presidente e passarlo al congresso. Senza questo passaggio nessuno si fiderà più, non si può rischiare che il prossimo fuori di testa butti all'aria accordi internazionali.
-
@quinta Un passo alla volta, prima sarebbe necessario che l'amministrazione Trump tutta (non solo D. Trump) lasciasse il palcoscenico.
E in seguito che uomini e donne di buona volontà americani, sani di mente, non criminali, corrotti, invasati di singolarità ecc., con idee e cultura si mettano all'opera.
La vedo lunga....purtroppo.
-
@marcosk916 ciao e benvenuto, wow complimenti! Bel dominio!
Diciamo che essendo un dominio registrato ma non utilizzato potrebbe essere una bella idea utilizzarlo per far conoscere le alternative etiche come mastodon.
Twitter chiuse la sede italiana anni fa e praticamente non ha più alcuna presenza in italia da anni, quindi difficilmente se ne accorgeranno ma legalmente se non crei un sito concorrente a X/twitter difficilmente diranno qualcosa.
-
Jen 🐦🔥 (@jen4man.bsky.social)
https://bsky.app/profile/jen4man.bsky.social/post/3mc5spqxa6s2n
> 💙💙💙🙏🏼
