Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://ioc.exchange/users/faebudo/statuses/112408938192938541">faebudo (faebudo@ioc.exchange)'s status on Thursday, 09-May-2024 17:09:40 JST</a><a href="https://ioc.exchange/@faebudo" title="faebudo@ioc.exchange"><img src="https://gnusocial.jp/avatar/255330-48-20240414114638.webp" width="48" height="48" alt="faebudo" style="position: absolute; left: 0; top: 0;">faebudo</a><div><a href="https://todon.eu/@ljrk/112407483134649177" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/105402" title="ljrk@todon.eu">lj·rk</a></li></ul></div></section><article><p><a href="https://todon.eu/@ljrk">@ljrk</a> <a href="https://cyberplace.social/@GossiTheDog">@GossiTheDog</a> Ah yes, this is how FIDO2/WebAuthn normally works.</p><p>But what I wrote about is WebAuthn with your Android Phone/iPhone where the sk and k_sk are backupped to your Google/iCloud account as a method to share it between devices using the same account.</p><p>The discoverable credentials are called passkeys and there are device-bound passkeys and synced passkeys. What I'm talking about are synced passkeys.</p><p>All the big platforms are selling synced passkeys as phishing proof and secure. But the basic promise that the private key cannot be stolen (except physical) has been violated by exporting it somewhere where it can be stolen.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3060333#notice-6073008">In conversation</a><time datetime="2024-05-09T17:09:40+09:00" title="Thursday, 09-May-2024 17:09:40 JST">about 7 months ago</time> <span>from <span><a href="https://ioc.exchange/@faebudo/112408938192938541" rel="external" title="Sent from ioc.exchange via ActivityPub">ioc.exchange</a></span></span><a href="https://ioc.exchange/@faebudo/112408938192938541">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
faebudo (faebudo@ioc.exchange)'s status on Thursday, 09-May-2024 17:09:40 JSTfaebudo
in reply to
- Kevin Beaumont
- lj·rk
@ljrk @GossiTheDog Ah yes, this is how FIDO2/WebAuthn normally works.
But what I wrote about is WebAuthn with your Android Phone/iPhone where the sk and k_sk are backupped to your Google/iCloud account as a method to share it between devices using the same account.
The discoverable credentials are called passkeys and there are device-bound passkeys and synced passkeys. What I'm talking about are synced passkeys.
All the big platforms are selling synced passkeys as phishing proof and secure. But the basic promise that the private key cannot be stolen (except physical) has been violated by exporting it somewhere where it can be stolen.
In conversationabout 7 months ago from ioc.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice