Conversation

Notices

1. Embed this notice
   gme / BOFH ?? ?? (gme@bofh.social)'s status on Thursday, 27-Apr-2023 03:30:44 JST gme / BOFH ?? ??

   I am concerned that the industry push away from passwords towards security keys and biometrics is a giant step backwards for civil liberties in the US.

   A person in the US can’t be compelled to give up their password (usually, of course there are exceptions, but they are few and don’t affect the average person) as that would be considered a violation of several US Constitutional amendments (mainly the 4th and 5th).

   In addition, there are few (if any) 4th amendment protections for any data that is stored “in the cloud”. Service providers can, and have been, compelled to disclose sensitive information in their custody that “belongs” to a person, organization, or other “entity”.

   But more alarming is that an American citizen does not have any 4th or 5th amendment protections against being forced to look at phone or computer to unlock its contents, or to provide a finger to do the same.

   There are even issues with Yubikeys. They are physical keys and anybody with access to them can unlock any system that is protected with them.

   So forgive me for not jumping on the passkey, Windows Hello, and other security key bandwagon and avoiding those technologies when I can.

   Sure, they’re convenient!

   But at what cost?

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Thursday, 27-Apr-2023 03:30:43 JST feld

     in reply to
     as long as you can protect the security key with a password it should be fine
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Thursday, 27-Apr-2023 03:34:32 JST feld

     in reply to
     yes, but I don't know of a way to do it in practice except using the Apple PassKey implementation and turning off TouchID and FaceID so you have to put in a password to use it
   • Embed this notice
     gme / BOFH ?? ?? (gme@bofh.social)'s status on Thursday, 27-Apr-2023 03:34:33 JST gme / BOFH ?? ??

     in reply to

     • feld

     @feld Is that possible with passkey?

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Thursday, 27-Apr-2023 03:45:13 JST feld

     in reply to
     If I could somehow make a PassKey out of my GPG/smartcard on my yubikey it would be possible for me to require my passphrase before the PassKey could be used.
     
     I wonder if someone is working on this or if it's even possible.
   • Embed this notice
     gme / BOFH ?? ?? (gme@bofh.social)'s status on Thursday, 27-Apr-2023 03:45:14 JST gme / BOFH ?? ??

     in reply to

     • feld

     @feld Doesn’t seem possible to do it with a Yubikey though, and this guy has configured his yubikey to decrypt his encrypted hard drive. Which is scary as fuck if you’re doing anything even remotely counter to the current political climate in your region.

     https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/

     (This is kinda what prompted me to write what I did.)

     I like how he had to upgraded his yubikey services because the older version was more secure than what he wanted.