@timbray Damn, we gotta come up with a solution for this. Passwords are a fucking mess.
Conversation
Notices
-
Embed this notice
Adlangx (lightninhopkins@mastodon.social)'s status on Saturday, 27-Apr-2024 12:47:36 JST 
Adlangx
-
Embed this notice
Tim Bray (timbray@cosocial.ca)'s status on Saturday, 27-Apr-2024 12:47:37 JST 
Tim Bray
Passkeys were hot last year, don’t seem to be catching on, here’s one view of why that is. Dark and sobering but convincing: https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
-
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 00:19:03 JST 
canard164
@tokyo_0
Passkeys are phishing-resistant and two factor authentication other than FIDO hardware keys are not.
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:07:04 JST
canard164
@tokyo_0
With 2FA with one time passcode such as TOTP, SMS, email codes, the user can send this second factor to a hacker who impersonates the service.
There are bots who receive the one-time code and who then send them to the real site to access to the account.
Regarding biometry, this is not a requirement. You can unlock a passkey by a pin (or by a schema on your phone) if you wish. Passkeys are designed to be decrypted by the same way you unlock your device.
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:44:31 JST
canard164
@tokyo_0
Passkeys don’t protect you physically, neither passwords nor other two-factor authentication mechanisms.
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:47:08 JST
canard164
@tokyo_0
Usually you are legally compelled to hand over any data unencrypted to customs to pass a border if they ask. Else you cannot enter the country.
This is true whatever authentication mechanism you choose, passkeys are not better or worse in that regard.
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:52:12 JST
canard164
@tokyo_0
I liked this article in two parts at the time, maybe it could be useful to you too? https://www.eff.org/deeplinks/2023/10/what-passkey
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:59:05 JST
canard164
@tokyo_0
Yes but you can unlock passkeys with a PIN.
But I don’t think passkeys are designed for plausible deniability anyway.
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:00:04 JST
canard164
@tokyo_0
Passkeys have two factors:
1. possession of the private key
2. knowledge or biometric factor (pick one) to unlock the private key.
You need both.
@lightninhopkins @timbray -
Embed this notice
Adlangx (lightninhopkins@mastodon.social)'s status on Sunday, 28-Apr-2024 02:00:44 JST
Adlangx
@canard164 @tokyo_0 @timbray Just checked my work for going to China. Apparently I would get a new laptop, I can't bring my current one. And after the trip that laptop would go back to IT . Wow.
-
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:10:51 JST
canard164
@tokyo_0
No solution is perfect and works against all possible threats. Passkeys are designed to protect against the same threats than passwords or 2FA, plus phishing, and without requiring other devices.
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:20:17 JST
canard164
@tokyo_0
The services you connect to send a unique challenge to your device, per login attempt.
To solve this challenge, the private key is required. And it is unlock locally by a second factor. For any second factor you choose, what leaves your device is the answer of the challenge, not a secret. Not the private key, not the fingerprint, not the PIN.
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:21:24 JST
canard164
@tokyo_0
Passkeys are 2FA so I don't understand. Private key + second factor.
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:26:34 JST
canard164
@tokyo_0
You have it but you don't send it so the service as is. You need the second factor to send to the service the challenge answer. At least if user verification is mandatory and your passkey manager is spec-compliant.
@lightninhopkins @timbray -
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:33:49 JST
canard164
@tokyo_0
If you have a bad actor passkey manager on your device you are screwed anyway, as it could retrieve your totp codes, passwords, etc.
@lightninhopkins @timbray -
Embed this notice
Mike Beasley (mikebeas@mas.to)'s status on Monday, 29-Apr-2024 04:32:29 JST 
Mike Beasley
@tokyo_0 obviously google can’t decrypt your passkeys the same way apple can’t decrypt your imessages.
-
Embed this notice
Mike Beasley (mikebeas@mas.to)'s status on Monday, 29-Apr-2024 04:34:33 JST
Mike Beasley
@tokyo_0 this is honestly an extremely silly question. passkeys are not more vulnerable to physical coercion than passwords and 2fa are. (apple’s biometric sensors already check for blood flow btw, so cutting off a finger isn’t much help there — can’t speak for all the android OEMs).
if someone was going to steal a rich person’s finger to unlock their password manager, staying away from passkeys doesn’t stop that from happening.
-
Embed this notice
Mike Beasley (mikebeas@mas.to)'s status on Monday, 29-Apr-2024 04:37:29 JST
Mike Beasley
@tokyo_0 on ios at least, unlocking your device does not unlock your passkeys. passkeys require an additional scan the same way going into your passcode controls requires your passcode. again, i can’t speak to whether or not android implements basic, common-sense security, but this isn’t a real problem on ios. you would know if they were trying to get into your password manager because they’d have to make you specifically unlock that.
-
Embed this notice
Mike Beasley (mikebeas@mas.to)'s status on Monday, 29-Apr-2024 21:47:27 JST
Mike Beasley
@tokyo_0 your password manager doesn’t require any other factors
-
Embed this notice
Mike Beasley (mikebeas@mas.to)'s status on Monday, 29-Apr-2024 21:48:28 JST
Mike Beasley
@tokyo_0 well then great news. That password manager probably also is what’s going to store your passkeys so they’ll be equally protected.
-
Embed this notice
Mike Beasley (mikebeas@mas.to)'s status on Monday, 29-Apr-2024 21:49:42 JST
Mike Beasley
@tokyo_0 no, this is exactly how all passkeys work. They require an additional face scan to unlock according to the spec. Unlocking your device was never enough to unlock all of your passkeys. It was specifically designed that way for security. Just like your password manager requires another scan or another passcode to open. You’re hardly the first person to think of these things.
-
Embed this notice
Mike Beasley (mikebeas@mas.to)'s status on Monday, 29-Apr-2024 21:51:04 JST
Mike Beasley
@tokyo_0 whatever password manager you use probably has or will have the capability to store passkeys, so they’re not going to be any less secure than the passwords you’re already storing. the big password managers are already adding passkey capabilities.
-
Embed this notice
Mike Beasley (mikebeas@mas.to)'s status on Monday, 29-Apr-2024 23:18:40 JST
Mike Beasley
@tokyo_0 they aren’t wrong, you are, and i’m not being “toxic” — you’re being defensive.
google is oversimplifying their password management flow in that article. “unlock your phone” here means redo your PIN or fingerprint scan.
you can see that explained at 15:30 in this video: https://www.youtube.com/watch?v=ivCveQZvY1I
-
Embed this notice
All GNU social JP content and data are available under the