Notices by canard164 (canard164@mastodon.social)

@tokyo_0
If you have a bad actor passkey manager on your device you are screwed anyway, as it could retrieve your totp codes, passwords, etc.
@lightninhopkins @timbray

@tokyo_0
You have it but you don't send it so the service as is. You need the second factor to send to the service the challenge answer. At least if user verification is mandatory and your passkey manager is spec-compliant.
@lightninhopkins @timbray

@tokyo_0
Passkeys are 2FA so I don't understand. Private key + second factor.
@lightninhopkins @timbray

@tokyo_0
The services you connect to send a unique challenge to your device, per login attempt.
To solve this challenge, the private key is required. And it is unlock locally by a second factor. For any second factor you choose, what leaves your device is the answer of the challenge, not a secret. Not the private key, not the fingerprint, not the PIN.
@lightninhopkins @timbray

@tokyo_0
No solution is perfect and works against all possible threats. Passkeys are designed to protect against the same threats than passwords or 2FA, plus phishing, and without requiring other devices.
@lightninhopkins @timbray

@tokyo_0
Passkeys have two factors:
1. possession of the private key
2. knowledge or biometric factor (pick one) to unlock the private key.
You need both.
@lightninhopkins @timbray

@tokyo_0
Yes but you can unlock passkeys with a PIN.
But I don’t think passkeys are designed for plausible deniability anyway.
@lightninhopkins @timbray

@tokyo_0
I liked this article in two parts at the time, maybe it could be useful to you too? https://www.eff.org/deeplinks/2023/10/what-passkey
@lightninhopkins @timbray

@tokyo_0
Usually you are legally compelled to hand over any data unencrypted to customs to pass a border if they ask. Else you cannot enter the country.
This is true whatever authentication mechanism you choose, passkeys are not better or worse in that regard.
@lightninhopkins @timbray

@tokyo_0
Passkeys don’t protect you physically, neither passwords nor other two-factor authentication mechanisms.
@lightninhopkins @timbray

@tokyo_0
With 2FA with one time passcode such as TOTP, SMS, email codes, the user can send this second factor to a hacker who impersonates the service.
There are bots who receive the one-time code and who then send them to the real site to access to the account.
Regarding biometry, this is not a requirement. You can unlock a passkey by a pin (or by a schema on your phone) if you wish. Passkeys are designed to be decrypted by the same way you unlock your device.
@lightninhopkins @timbray

@tokyo_0
Passkeys are phishing-resistant and two factor authentication other than FIDO hardware keys are not.
@lightninhopkins @timbray