Fiction: FIDO2/WebAuthn is secure because the private key is stored in a Secure Element and can never be exported or used against the users will.
Fact: Let's upload the private key to Google!
Fiction: FIDO2/WebAuthn is secure because the private key is stored in a Secure Element and can never be exported or used against the users will.
Fact: Let's upload the private key to Google!
@ljrk @GossiTheDog This answer triggers me, did you forget a /s?
The private key stored with google (or any other such service) is encrypted with what? A private key stored on a Secure Element, never exportable or used against the users will?
Or with the users mother maiden name and the ability to read an SMS that was sent to the users mobile phone number?
@ljrk @GossiTheDog Ah yes, this is how FIDO2/WebAuthn normally works.
But what I wrote about is WebAuthn with your Android Phone/iPhone where the sk and k_sk are backupped to your Google/iCloud account as a method to share it between devices using the same account.
The discoverable credentials are called passkeys and there are device-bound passkeys and synced passkeys. What I'm talking about are synced passkeys.
All the big platforms are selling synced passkeys as phishing proof and secure. But the basic promise that the private key cannot be stolen (except physical) has been violated by exporting it somewhere where it can be stolen.
@dmaonR @GossiTheDog I agree. it's also not indexed and you can't google for it. Also I have to assume it's only there for ISO 27001 compliance and not because they use it, when even their support staff doesn't know about their policies and processes concerning security.
@GossiTheDog It's in their responsible disclosure policy pdf: securityandvulnerabilities@delinea.com
here: https://trust.delinea.com/?itemUid=56583ca0-6561-4cf3-a150-8c0c45d214cf
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.