Notices by canard164 (canard164@mastodon.social)

Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:33:49 JST canard164
@tokyo_0
If you have a bad actor passkey manager on your device you are screwed anyway, as it could retrieve your totp codes, passwords, etc.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 02:33:49 JST from mastodon.social permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:26:34 JST canard164
@tokyo_0
You have it but you don't send it so the service as is. You need the second factor to send to the service the challenge answer. At least if user verification is mandatory and your passkey manager is spec-compliant.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 02:26:34 JST from mastodon.social permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:21:24 JST canard164
@tokyo_0
Passkeys are 2FA so I don't understand. Private key + second factor.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 02:21:24 JST from gnusocial.jp permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:20:17 JST canard164
@tokyo_0
The services you connect to send a unique challenge to your device, per login attempt.
To solve this challenge, the private key is required. And it is unlock locally by a second factor. For any second factor you choose, what leaves your device is the answer of the challenge, not a secret. Not the private key, not the fingerprint, not the PIN.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 02:20:17 JST from mastodon.social permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:10:51 JST canard164
@tokyo_0
No solution is perfect and works against all possible threats. Passkeys are designed to protect against the same threats than passwords or 2FA, plus phishing, and without requiring other devices.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 02:10:51 JST from gnusocial.jp permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 02:00:04 JST canard164
@tokyo_0
Passkeys have two factors:
1. possession of the private key
2. knowledge or biometric factor (pick one) to unlock the private key.
You need both.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 02:00:04 JST from mastodon.social permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:59:05 JST canard164
@tokyo_0
Yes but you can unlock passkeys with a PIN.
But I don’t think passkeys are designed for plausible deniability anyway.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 01:59:05 JST from gnusocial.jp permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:52:12 JST canard164
@tokyo_0
I liked this article in two parts at the time, maybe it could be useful to you too? https://www.eff.org/deeplinks/2023/10/what-passkey
@lightninhopkins @timbray
In conversation Sunday, 28-Apr-2024 01:52:12 JST from gnusocial.jp permalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.eff.org
  
  What the !#@% is a Passkey?
  
  from Jacob Hoffman-Andrews
  
  A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:47:08 JST canard164
@tokyo_0
Usually you are legally compelled to hand over any data unencrypted to customs to pass a border if they ask. Else you cannot enter the country.
This is true whatever authentication mechanism you choose, passkeys are not better or worse in that regard.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 01:47:08 JST from mastodon.social permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:44:31 JST canard164
@tokyo_0
Passkeys don’t protect you physically, neither passwords nor other two-factor authentication mechanisms.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 01:44:31 JST from gnusocial.jp permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 01:07:04 JST canard164
@tokyo_0
With 2FA with one time passcode such as TOTP, SMS, email codes, the user can send this second factor to a hacker who impersonates the service.
There are bots who receive the one-time code and who then send them to the real site to access to the account.
Regarding biometry, this is not a requirement. You can unlock a passkey by a pin (or by a schema on your phone) if you wish. Passkeys are designed to be decrypted by the same way you unlock your device.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 01:07:04 JST from gnusocial.jp permalink
Embed this notice
canard164 (canard164@mastodon.social)'s status on Sunday, 28-Apr-2024 00:19:03 JST canard164
@tokyo_0
Passkeys are phishing-resistant and two factor authentication other than FIDO hardware keys are not.
@lightninhopkins @timbray

In conversation Sunday, 28-Apr-2024 00:19:03 JST from gnusocial.jp permalink

Public

Notices by canard164 (canard164@mastodon.social)

User actions

Following 0

Followers 0

Groups 0

Statistics

Feeds