@glyph Did you quote post something?
Uncategorized
903
Posts
312
Posters
0
Views
-
@glyph I mean, you still have to onboard people to a password manager (one that supports passkeys). Otherwise you're setting them up to get locked out of their accounts the moment they change devices, which is actively malicious. And if you can get them to use a password manager, they can use fucking passwords to log in.
@aburka so there are a couple of issues you're citing here, let me go through them one at a time:
> I dropped my phone
The degree to which the label "passkey" *requires* this is a matter of some debate, but functionally, when "passkey" became A Thing as opposed to 'webauthn soft credential' was when the platform providers (google, microsoft, apple) all added E2E encrypted synchronization of passkeys, integrated with their native password managers.
-
@aburka so there are a couple of issues you're citing here, let me go through them one at a time:
> I dropped my phone
The degree to which the label "passkey" *requires* this is a matter of some debate, but functionally, when "passkey" became A Thing as opposed to 'webauthn soft credential' was when the platform providers (google, microsoft, apple) all added E2E encrypted synchronization of passkeys, integrated with their native password managers.
@aburka If you "use passkeys" as a normal person, even with something like 1password, there's a recovery path, even if you have only a single device. For example, the way that this works with Apple is that you drop your phone in a toilet, then when you get a new phone, you enter the *device passphrase for the old phone* to decrypt your iCloud Keychain locally, and it syncs down from the cloud. This doesn't work with Advanced Data Protection, but that is very much opt-in.
-
@glyph I searched for "successor account" and got nothing, so please do
@glyph (heads up, it's way past my bedtime, so I'm gonna be eagerly reading your replies... tomorrow)
-
@cthos that will be useful, but, ultimately, https://mastodon.social/@glyph/115677038638322402
-
@glyph (heads up, it's way past my bedtime, so I'm gonna be eagerly reading your replies... tomorrow)
> passkeys offer zero advantages over existing technology
what passkeys offer is cryptographic resistance to replay attacks. If you have a password, even if you have a TOTP code, you can be tricked into sharing it with an attacker, and the attacker can "replay" it back to the original site, taking over your account. The way they achieve this is that "the HTTPS domain name of the site that's asking" is baked into the key exchange; an attacker cannot trick your browser that way
-
> passkeys offer zero advantages over existing technology
what passkeys offer is cryptographic resistance to replay attacks. If you have a password, even if you have a TOTP code, you can be tricked into sharing it with an attacker, and the attacker can "replay" it back to the original site, taking over your account. The way they achieve this is that "the HTTPS domain name of the site that's asking" is baked into the key exchange; an attacker cannot trick your browser that way
@aburka most password managers are relatively careful now about places where they will autofill, and the UX is getting more resistant to exfiltrating a credential to the wrong site is getting harder all the time, but it remains *very* easy to circumvent that process, and the amount of social engineering required to fluster a spear-phishing target—even a very security-savvy one—to the point where they'll just open their password manager and manually copy/paste is *shockingly* low
-
Two things.
1) Who is there bullying developers to boycott it? WTF?!? That sounds a bit extreme considering the platform is getting more and more annoying to use all by itself by the day...
2) I'm surprised that Microsoft hasn't forced GitHub to use Azure AD for Authentication by now too...
3) I think all of it is a fair punishment for parents being Microsoft's accomplice in dragging their children into their ecosystem and allowing them to submit to their marketing.
-
@aburka most password managers are relatively careful now about places where they will autofill, and the UX is getting more resistant to exfiltrating a credential to the wrong site is getting harder all the time, but it remains *very* easy to circumvent that process, and the amount of social engineering required to fluster a spear-phishing target—even a very security-savvy one—to the point where they'll just open their password manager and manually copy/paste is *shockingly* low
@aburka re: "successor account" I am just referring to features like this https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/repository-access-and-collaboration/maintaining-ownership-continuity-of-your-personal-accounts-repositories and this https://support.apple.com/en-us/102631 and this https://myaccount.google.com/inactive
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph Because nothing else worked I had to activate Win11 by reading 20 sets of 6-digit numbers/letters to a chat-bot, which repeatet every set to make sure it understood correctly. 20 minutes of yelling a random wordsalad at your phone while everyone around you laughs manically is hard and a bit humiliating. It is nothing compared to your experience, but goes to show that fucking around with users is intentional.
-
@aburka re: "successor account" I am just referring to features like this https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/repository-access-and-collaboration/maintaining-ownership-continuity-of-your-personal-accounts-repositories and this https://support.apple.com/en-us/102631 and this https://myaccount.google.com/inactive
@aburka basically when you manage your credentials on a website, you actually need to understand edge cases like "how does this website decide if I'm dead so they know when to release my data to my heirs" or "what 'reset' credentials can completely obviate all security on this account". like if you're setting up super hardcore device-bound passkey MFA for some site, but actually a simple simjacking attack can grab a "reset" SMS, it's important to *know* htat
-
@aburka basically when you manage your credentials on a website, you actually need to understand edge cases like "how does this website decide if I'm dead so they know when to release my data to my heirs" or "what 'reset' credentials can completely obviate all security on this account". like if you're setting up super hardcore device-bound passkey MFA for some site, but actually a simple simjacking attack can grab a "reset" SMS, it's important to *know* htat
@aburka you can't understand all that stuff if you can't rehearse it, and you should not need to *re-learn it* for every single website you have to have an account with in order to buy microtransaction tokens for a game your kid plays
-
@nik @agowa338 speaking from personal experience, let me just assure you that "become the enemy of joy" is not a great way to win people over to the cause of free software. I would also encourage you to learn about parents' only realistic alternative to Minecraft in terms of all-ages gameplay; the title may give you some idea of why I prefer the devil I know in Microsoft in this case: https://hindenburgresearch.com/roblox/
-
Two things.
1) Who is there bullying developers to boycott it? WTF?!? That sounds a bit extreme considering the platform is getting more and more annoying to use all by itself by the day...
2) I'm surprised that Microsoft hasn't forced GitHub to use Azure AD for Authentication by now too...
@agowa338 I didn't say "bullying", but if you're interested, here's the campaign. (I think it is misguided, because it severely misunderstands the kind of resource leverage that Github provides, but I can certainly understand why they do not consider Github a trustworthy infrastructure partner.) https://sfconservancy.org/GiveUpGitHub/
-
@nik @agowa338 speaking from personal experience, let me just assure you that "become the enemy of joy" is not a great way to win people over to the cause of free software. I would also encourage you to learn about parents' only realistic alternative to Minecraft in terms of all-ages gameplay; the title may give you some idea of why I prefer the devil I know in Microsoft in this case: https://hindenburgresearch.com/roblox/
I will not continue this discussion as you seem to underestimate the experience I have in this topic, and seem to lack experience in child-safe, open gaming yourself (you could ask for it, but chose to discredit me instead).
(Just one hint: I have a truckload of parents and children here who simply insist in playing MineClonia instead, and it works in all cases.)
-
@cthos that will be useful, but, ultimately, https://mastodon.social/@glyph/115677038638322402
@glyph I agree there and also educating site owners (and have the IdP vendors help) on how to present them coherently.
But also, the spec is deep and confusing and people still don't get the discoverable vs non discoverable distinction and there isn't a clear delineation
-
I will not continue this discussion as you seem to underestimate the experience I have in this topic, and seem to lack experience in child-safe, open gaming yourself (you could ask for it, but chose to discredit me instead).
(Just one hint: I have a truckload of parents and children here who simply insist in playing MineClonia instead, and it works in all cases.)
-
@glyph … and woe betide you if you have the misfortune to both (a) be a teacher in a school system that uses MS infrastructure, and (b) have children studying in the same school system. This appears to be a use case that MS authentication is unable to account for. It doesn’t matter what you’re trying to do - you’re logged into the “other” system, and trying to correct things only makes things worse. Incognito browsing and/or completely separate browsers appears to be the only solution.
Ask me how I know.
@freakboy3742 so, I have not experienced this *exact* alignment of misfeatures, but, let's just say that I have experienced a … sufficiently resonant set of circumstances with this particular system that I am nodding along, grinning amiably as I read this toot, trembling almost imperceptibly and with just the littlest bit of blood trickling out of one of my ears
-
@freakboy3742 so, I have not experienced this *exact* alignment of misfeatures, but, let's just say that I have experienced a … sufficiently resonant set of circumstances with this particular system that I am nodding along, grinning amiably as I read this toot, trembling almost imperceptibly and with just the littlest bit of blood trickling out of one of my ears
@freakboy3742 I can't even fully explain the _full_ disaster that lead to this but suffice it to say that every time Microsoft wants to do anything with a passkey, I have to carefully navigate past an entry that reads "glyph (Microsoft) (Twisted) (Other)" in my password manager, and it can never under any circumstances be deleted
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph This is a very accurate description.
I somehow ended up with three different accounts, one of them split further into "personal" and "organization". Each one appears to have a different set of access rights.
I'm unable to reset the PW on the organizational account, because of some policy. But I'm asked to change that PW every few months, because that's policy too.
I'm pretty sure no real person ever set this up, and I'm not aware of any "admin" person I would be able to ask about it.
-
@glyph … and woe betide you if you have the misfortune to both (a) be a teacher in a school system that uses MS infrastructure, and (b) have children studying in the same school system. This appears to be a use case that MS authentication is unable to account for. It doesn’t matter what you’re trying to do - you’re logged into the “other” system, and trying to correct things only makes things worse. Incognito browsing and/or completely separate browsers appears to be the only solution.
Ask me how I know.
@freakboy3742 @glyph It beats even firefox containers?
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@Sirchrism le consultazioni sono uno strumento frequentemente adottato dall'Unione
-
@rl_dane I once dropped my work Thinkpad down two flights of concrete stairs. Still worked. They're indestructible. 🔥
-
Messaggio in codice da Qaanaaq
-
Avete fatto bene ad accendere i caloriferi...
.
#caturday #CatsOfMastodon #Miagolina
-
@poleguy yes, ty! In real time wasd control.
On video below it’s how I see it on pc screen (with actual audio).
-
@js wow, that's *TurboTax*?
-
@ut3usw that's fun. Are you controlling/calculating this in real time?
-
@gmarcosanti buona come la focaccia ligure?
