Running on Linux and not wanting to sync Android stuff with Google tends to put me outside of a lot of target audiences. It's a shame to see that happening for security technologies, though.
Conversation
Notices
-
Embed this notice
Cassandra Granade 🏳️⚧️ (xgranade@wandering.shop)'s status on Saturday, 04-Jan-2025 10:37:52 JST Cassandra Granade 🏳️⚧️
- Rich Felker repeated this.
-
Embed this notice
Cassandra Granade 🏳️⚧️ (xgranade@wandering.shop)'s status on Saturday, 04-Jan-2025 10:37:45 JST Cassandra Granade 🏳️⚧️
To my mind, this is not disconnected from the news that Tim Cook personally donated over a million dollars to the Trump inauguration. Chump change at Cook's level, but it signals strongly to me that I cannot trust Apple to be secure against fascist incursions — same thing with Google, of course.
Making trust work without relying on those parties is critical!
-
Embed this notice
Cassandra Granade 🏳️⚧️ (xgranade@wandering.shop)'s status on Saturday, 04-Jan-2025 10:37:46 JST Cassandra Granade 🏳️⚧️
Passkeys feel for all the world like yet another narrowing of the web around stacks that run WebKit or Blink and sync with Apple or Google. If you use that path of least resistance, they're great.
I know some folks have been able to make passkeys work well outside of that stack, thanks to the heroic efforts of projects like KeePassXC, but it still feels like running stuff on your own hardware is at most an afterthought for passkey implementers.
Rich Felker repeated this. -
Embed this notice
Cassandra Granade 🏳️⚧️ (xgranade@wandering.shop)'s status on Saturday, 04-Jan-2025 10:37:47 JST Cassandra Granade 🏳️⚧️
In part, I've been as negative as I have on passkeys because they're very, very cool, but it's clear that the industry groups developing implementations don't consider any usecases except for those that involve syncing credentials with an untrusted provider like Google. Even if those credentials are locally encrypted, it's still really unfortunate to tie a massive and demonstrable security and privacy improvement to vendor lock-in.
Rich Felker repeated this. -
Embed this notice
Cassandra Granade 🏳️⚧️ (xgranade@wandering.shop)'s status on Saturday, 04-Jan-2025 10:40:08 JST Cassandra Granade 🏳️⚧️
Anyway, passkeys are cool. I just wish they were cool for more people and for people further outside the OS duopoly.
-
Embed this notice
Cassandra Granade 🏳️⚧️ (xgranade@wandering.shop)'s status on Saturday, 04-Jan-2025 10:40:09 JST Cassandra Granade 🏳️⚧️
Probably the easiest thing to do until either Android KeePass clients support passkeys or Bitwarden supports passkeys for Firefox/Android would be to bite the bullet and use Proton Pass... that undoes a lot of progress I've made with getting away from cloud-based syncing, but it would technically work without trusting Google or Apple, I think.
Rich Felker repeated this.