GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Embed Notice

HTML Code

Corresponding Notice

  1. Embed this notice
    lj·rk (ljrk@todon.eu)'s status on Thursday, 09-May-2024 17:09:38 JSTlj·rklj·rk
    in reply to
    • Kevin Beaumont
    • faebudo

    @faebudo @GossiTheDog

    If you claim that this scheme "uploads your secret key", then by the same reason password auth uploads the shared secret to every hop b/w you and the authenticator. Which, yes, but it's encrypted using TLS: Your ISP cannot read the password.

    Additionally, this is actually nothing that's related to Passkeys. It's just how synched Passkeys are commonly implemented. You don't *need* to sync discoverable Passkeys, it's nowhere in the spec. KeePassXC allows you to not sync Passkeys.

    Either way, they are more secure simply in the same sense that SSH Keys are more secure than SSH Passwords. It's absolutely insane that we now, finally, have proper public-private-key auth in the Web and the same people claim it's insecure while themselves using SSH Keys. It's the freaking same thing, just for Web!

    To drill this down: The major point against attacks is not that the secret is safely stored in a physical key. It's that the authentication isn't based on a shared secret. And that's what happens here.

    Optionally(!) syncing Passkeys doesn't make this less secure, since they are encrypted before they even leave the device. And this is the same for synched passwords managers.

    If you don't sync, you don't have either. It has *nothing* to do with Passkeys.

    In conversationabout a year ago from todon.eupermalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.