Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://social.singing.dog/objects/03384abb-857b-419d-9d2a-f01a19662c10">Coyote (coyote@social.singing.dog)'s status on Saturday, 14-Jan-2023 13:14:49 JST</a><a href="https://social.singing.dog/users/Coyote" title="coyote@social.singing.dog"><img src="https://gnusocial.jp/avatar/10655-48-20220919125749.webp" width="48" height="48" alt="Coyote" style="position: absolute; left: 0; top: 0;">Coyote</a><div><a href="https://were.social/objects/16473e5b-673b-4c11-8900-9e87a003e35c" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/85321" title="silverpill@mitra.social">silverpill</a></li></ul></div></section><article><p><a href="https://were.social/users/arcanicanis">@arcanicanis</a> <a href="https://mitra.social/users/silverpill">@silverpill</a> There is the possibility of a MITM attack on the initial public key exchange appearing more “authentic,” but device attestation does seem pretty mundane in what it adds or loses in terms of security.</p><p>The article you shared talks a whole lot about using it as a source of metadata, but the possibility of dumping keys points to it only really being useful to alert users that their hardware has insecurities: “hey, your authenticator’s know to phone the FBI whenever you login; you should probably get a new one.”</p><p>I just can’t shake the feeling that Microsoft, Apple, Google, etc. will someday use it to force hardware onto people. “Sorry your token is too insecure for &lt;service&gt;. Please use a token with DNA authentication to continue.” Again, software solves it, as it did with TOTP, but it’s still annoying having to have password managers act as USB devices.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1037994#notice-2300975">In conversation</a><time datetime="2023-01-14T13:14:49+09:00" title="Saturday, 14-Jan-2023 13:14:49 JST">Saturday, 14-Jan-2023 13:14:49 JST</time> <span>from <span><a href="https://social.singing.dog/objects/03384abb-857b-419d-9d2a-f01a19662c10" rel="external" title="Sent from social.singing.dog via ActivityPub">social.singing.dog</a></span></span><a href="https://social.singing.dog/objects/03384abb-857b-419d-9d2a-f01a19662c10">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Coyote (coyote@social.singing.dog)'s status on Saturday, 14-Jan-2023 13:14:49 JSTCoyote
in reply to
- arcanicanis
- silverpill
@arcanicanis @silverpill There is the possibility of a MITM attack on the initial public key exchange appearing more “authentic,” but device attestation does seem pretty mundane in what it adds or loses in terms of security.
The article you shared talks a whole lot about using it as a source of metadata, but the possibility of dumping keys points to it only really being useful to alert users that their hardware has insecurities: “hey, your authenticator’s know to phone the FBI whenever you login; you should probably get a new one.”
I just can’t shake the feeling that Microsoft, Apple, Google, etc. will someday use it to force hardware onto people. “Sorry your token is too insecure for <service>. Please use a token with DNA authentication to continue.” Again, software solves it, as it did with TOTP, but it’s still annoying having to have password managers act as USB devices.
In conversationSaturday, 14-Jan-2023 13:14:49 JST from social.singing.dogpermalink

Public

Embed Notice

HTML Code

Corresponding Notice