I like passkeys*
Uncategorized
31
Posts
12
Posters
36
Views
-
I like passkeys*
* resident, non-hardware-token-based public key authentication mechanism for websites and Android apps, not to be confused with other things also called "passkeys" indiscriminately
@whitequark
so, like, who has these things and how do they work? they send you a nonce and you sign it?i haven't seen this as an option on any site or within keepassxc but I haven't been looking either.
-
@whitequark
so, like, who has these things and how do they work? they send you a nonce and you sign it?i haven't seen this as an option on any site or within keepassxc but I haven't been looking either.
@dlakelan you have to enable it within the keepassxc browser extension; most major webtech companies (starting with google) have been pushing passkeys for a while
cryptographic details are explained on a high level here: https://www.passkeys.io/technical-details
-
all of my passkeys* live in a KeePassXC database and I am both safe from phishing and from the services becoming unavailable because I lost a hardware token, which is why I like them
@whitequark
I get the lost hardware token situation which is bad, but IMO the underlaying issue is that there's not many services that accept more than one hardware token which is a shame. Having at least two token registered, where one is with somebody at all time and the other one in a safe and is never out unless the first one is missing, would fit many threat models (not all, granted) -
@whitequark
I get the lost hardware token situation which is bad, but IMO the underlaying issue is that there's not many services that accept more than one hardware token which is a shame. Having at least two token registered, where one is with somebody at all time and the other one in a safe and is never out unless the first one is missing, would fit many threat models (not all, granted)@magnetic_tape I agree with this in principle but personally since the effort to register/replace one hardware token is already too high, two is worse, not better
-
@dlakelan you have to enable it within the keepassxc browser extension; most major webtech companies (starting with google) have been pushing passkeys for a while
cryptographic details are explained on a high level here: https://www.passkeys.io/technical-details
@whitequark
got it. my impression was these required some TPM and or proprietary stuff from windows etc I was treating them as trash. but if keepassxc can be the secure store I am on board -
@whitequark
got it. my impression was these required some TPM and or proprietary stuff from windows etc I was treating them as trash. but if keepassxc can be the secure store I am on board@dlakelan a lot of people have this misconception thanks to some enormous communication failures by the big tech companies. the underlying technology is fine, it's just described in a completely unhelpful and misleading manner
-
@dlakelan a lot of people have this misconception thanks to some enormous communication failures by the big tech companies. the underlying technology is fine, it's just described in a completely unhelpful and misleading manner
@whitequark
yeah my impression was a third party holding keys or proprietary hardware stuff was how they work. if you think I'm gonna let someone else have all my keys then forget it. but yeah I'll be looking for the keepassxc browser extension settings now... thank you for clarifying this -
all of my passkeys* live in a KeePassXC database and I am both safe from phishing and from the services becoming unavailable because I lost a hardware token, which is why I like them
@whitequark you can still lose your KeePassXC database or missync it
-
@whitequark you can still lose your KeePassXC database or missync it
@lnl i have hourly backups and multiple replicas within a literal arm's reach
-
all of my passkeys* live in a KeePassXC database and I am both safe from phishing and from the services becoming unavailable because I lost a hardware token, which is why I like them
@whitequark same here.
-
all of my passkeys* live in a KeePassXC database and I am both safe from phishing and from the services becoming unavailable because I lost a hardware token, which is why I like them
@whitequark I want to like them, but when I recently went to go register a different hardware token to my Google account it decided that Firefox on Linux isn't supported to register a passkey, so I got locked out. I'm now in the process of removing my passkeys from other accounts since I can't trust them. That and Microsoft's dark pattern of forcing you to enroll one on login if you don't have one.
That being said, I also want a clean export opportunity. The fact that KeePassXC supports them gives me a little hope but I would like a format that I can export, archive, and import in to another program without having to do some double fiddly import/export on my phone or whatever. I think the latest Apple iOS version lets you transfer between apps using their own propitiatory process but I want something cross platform.
-
@whitequark I want to like them, but when I recently went to go register a different hardware token to my Google account it decided that Firefox on Linux isn't supported to register a passkey, so I got locked out. I'm now in the process of removing my passkeys from other accounts since I can't trust them. That and Microsoft's dark pattern of forcing you to enroll one on login if you don't have one.
That being said, I also want a clean export opportunity. The fact that KeePassXC supports them gives me a little hope but I would like a format that I can export, archive, and import in to another program without having to do some double fiddly import/export on my phone or whatever. I think the latest Apple iOS version lets you transfer between apps using their own propitiatory process but I want something cross platform.
@gibwar I think sites can and do sometimes place additional (mostly ridiculous) requirements, Google being the main one in my experience; but then if you don't trust the website it's kind of a lost cause to expect it to reliably authorize you
KeepassXC does let you export passkeys but I can't tell if it's a standard format or if there is even a standard format
-
@whitequark
yeah my impression was a third party holding keys or proprietary hardware stuff was how they work. if you think I'm gonna let someone else have all my keys then forget it. but yeah I'll be looking for the keepassxc browser extension settings now... thank you for clarifying thisThe downside of a pure software implementation is that a kernel vulnerability can still exfiltrate all of your keys. Hardware (including TPM)-based implementations are robust against this because the kernel can ask the device to do the signing, but that only allows online attacks: while someone compromises your machine, they can log in as you, but they can't exfiltrate your credentials.
Apple's design is nice because the keys are resident only in the secure element, but they do have a flow for copying them to another secure element (encrypted with a key that's negotiated during the exchange), but that locks you into their ecosystem.
The problem that they're trying to solve is a very hard one: How do you make it easy to copy your keys to another device but make it hard for a malicious person to force or trick you into copying the keys to their device? This is relatively easy within a closed ecosystem, but it's much harder to do in an open model.
-
The downside of a pure software implementation is that a kernel vulnerability can still exfiltrate all of your keys. Hardware (including TPM)-based implementations are robust against this because the kernel can ask the device to do the signing, but that only allows online attacks: while someone compromises your machine, they can log in as you, but they can't exfiltrate your credentials.
Apple's design is nice because the keys are resident only in the secure element, but they do have a flow for copying them to another secure element (encrypted with a key that's negotiated during the exchange), but that locks you into their ecosystem.
The problem that they're trying to solve is a very hard one: How do you make it easy to copy your keys to another device but make it hard for a malicious person to force or trick you into copying the keys to their device? This is relatively easy within a closed ecosystem, but it's much harder to do in an open model.
@david_chisnall @dlakelan for sure, there is a tradeoff; in my nearly 20 years of actively being on the Internet I've been phisned 0 times and stranded in a country whose language I don't speak because of a stupid 2FA login issue... significantly more than that. so I don't value security all that much, and I think the focus on preventing key exfiltration at all costs (including a significant cost to availability) is both myopic in general and too easily turned anti-end-user
-
@david_chisnall @dlakelan for sure, there is a tradeoff; in my nearly 20 years of actively being on the Internet I've been phisned 0 times and stranded in a country whose language I don't speak because of a stupid 2FA login issue... significantly more than that. so I don't value security all that much, and I think the focus on preventing key exfiltration at all costs (including a significant cost to availability) is both myopic in general and too easily turned anti-end-user
With Catherine 100% here. The number of times that I've had my Linux laptop or desktop kernel compromised is ZERO in 30 years while the number of times I've been locked out of my brokerage account because of a failed piece of hardware that was the only hardware 2FA they allow is non-zero in the last year. It would be significantly easier to catfish the fallback security overrides with the brokers on the phone than it would be to kernel compromise my infrastructure.
-
@gibwar I think sites can and do sometimes place additional (mostly ridiculous) requirements, Google being the main one in my experience; but then if you don't trust the website it's kind of a lost cause to expect it to reliably authorize you
KeepassXC does let you export passkeys but I can't tell if it's a standard format or if there is even a standard format
@whitequark It doesn't do it any more, but when I registered my Yubikey as a second factor on my Google account, it would for quite a while prompt me to use it as a standard passkey (as a replacement for, not in addition to, my password). So that has certainly diminished my view of their implementation.
-
I like passkeys*
* resident, non-hardware-token-based public key authentication mechanism for websites and Android apps, not to be confused with other things also called "passkeys" indiscriminately
@whitequark I'll be honest that I don't. I've set them up for a few accounts, and universally regret it.
The reliability of logging in with them seems to be abysmal. The implementations on some major websites seem very sketchy, and then my PW manager and my browser sometimes fight over who should be prompting me to use a passkey. I would estimate that ~50% of the time I try to use them it fails, and then I get buggily transferred into some kind of backup login flow.
-
@whitequark I'll be honest that I don't. I've set them up for a few accounts, and universally regret it.
The reliability of logging in with them seems to be abysmal. The implementations on some major websites seem very sketchy, and then my PW manager and my browser sometimes fight over who should be prompting me to use a passkey. I would estimate that ~50% of the time I try to use them it fails, and then I get buggily transferred into some kind of backup login flow.
@whitequark I share your desire for availability, but I've mostly achieved that by using 2fac authentication code generator apps, which I have set up on redundant devices.
-
@whitequark I'll be honest that I don't. I've set them up for a few accounts, and universally regret it.
The reliability of logging in with them seems to be abysmal. The implementations on some major websites seem very sketchy, and then my PW manager and my browser sometimes fight over who should be prompting me to use a passkey. I would estimate that ~50% of the time I try to use them it fails, and then I get buggily transferred into some kind of backup login flow.
@resistor huh, I have a very different experience. what are some major failure points for you? (specific websites)
-
@whitequark I share your desire for availability, but I've mostly achieved that by using 2fac authentication code generator apps, which I have set up on redundant devices.
@resistor I also set that up in a similar way; mainly I just hate entering the codes because I have been traumatized by SMS 2FA, and passkeys just... lack that step
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Wsj: Casa Bianca teme Israele prosegua guerra a oltranza
Tra i funzionari della Casa Bianca si teme che Israele voglia che la guerra con l'Iran continui anche dopo che gli Stati Uniti avranno espresso la volontà di porre fine agli attacchi. Lo ha riportato il Wall Street Journal, citando fonti ufficiali americane. Wsj ha sottolineato che stanno emergendo divergenze con Israele che continua ad ampliare la gamma dei suoi obiettivi nel tentativo di imporre un cambio di leadership.
Sky Tg24
-
@GustavinoBevilacqua molto probabile.
-
Forse per il sanremonews.
-
@jfkimmes i built an LLM from scratch with transformers kinda loosely following the scripts the qwen people released
the LLM is basically trained on ~30ish GB of mostly furry smut and public Linux IRC logs.
*nods sagely*
-
@GustavinoBevilacqua LOL il mio filtro per il Festival è cosí aggressivo che ha bloccato anche questo post
-
"Tranquillo, capo, con Google Maps non mi perdo!"
«Tir incastrato nei tornanti dei ‘Turnichetti’ tra Coldirodi e Capo Nero: strada bloccata, autista irreperibile»
-
@ariadne what model did you finetune on? For a 1B model you need something really specialized on tool calling.
-
(don't worry, i am running this in a MicroVM under kubernetes, I wouldn't dare give it access to anything I care about.)
