I'm writing up a blog post called "Passkeys for Normal People", which is a non-trivial exercise. For example, whilst LinkedIn "supports" passkeys, it doesn't seem to allow using them as a second factor *or* a sole factor, so you're still left with passwords and OTPs. Correct?
@benjojo@dangoodin@cR0w@Viss@matthew_d_green I suggest the term “snooping” is the problem here. A huge part of the value proposition of any reverse proxy with WAF features (not just Cloudflare) is the ability to inspect traffic. By design, a service like this sits in a position where they can inspect traffic, and that’s a decision the site operator makes. Inspecting traffic then also provides the ability to report on it; I can pull back traffic stats based on the UA string, for example. There’s no explicit “consent” involved in people sending that data, just like there’s no explicit consent in them submitting a form with PII in it; it’s implied. It’s also up to the site owner to enable leaked credential check, who already has the ability to decide what happens to passwords submitted to their service whether CF exists or not: https://developers.cloudflare.com/waf/detections/leaked-credentials/
A few years ago, I wrote a book. It was the culmination of my most important posts and the stories behind them. Writing this book also helped keep me sane during insane times, and as of today, I'm giving it away for free 😊 https://www.troyhunt.com/pwned-the-book-is-now-available-for-free/
Y'know I hate to say I told you so, but that "Mother of all Breaches" that hit the news last week ended up being exactly what I predicted it was. What will happen next is also predictable, it's uncanny just how much history is repeating: https://www.troyhunt.com/the-data-breach-personal-stash-ecosystem/