Notices by Mike Beasley (mikebeas@mas.to)

I haven’t called you anything but defensive, which you are being clearly. I gave you the exact timestamp you could look at in the video but it’s clear that password fanboys have no interest in actually understanding the technology being discussed. Enjoy getting phished and hacked in every data leak.
https://mas.to/@tokyo_0/112354961828125816

@tokyo_0 they aren’t wrong, you are, and i’m not being “toxic” — you’re being defensive.

google is oversimplifying their password management flow in that article. “unlock your phone” here means redo your PIN or fingerprint scan.

you can see that explained at 15:30 in this video: https://www.youtube.com/watch?v=ivCveQZvY1I

@tokyo_0 whatever password manager you use probably has or will have the capability to store passkeys, so they’re not going to be any less secure than the passwords you’re already storing. the big password managers are already adding passkey capabilities.

@tokyo_0 no, this is exactly how all passkeys work. They require an additional face scan to unlock according to the spec. Unlocking your device was never enough to unlock all of your passkeys. It was specifically designed that way for security. Just like your password manager requires another scan or another passcode to open. You’re hardly the first person to think of these things.

@tokyo_0 well then great news. That password manager probably also is what’s going to store your passkeys so they’ll be equally protected.

@tokyo_0 your password manager doesn’t require any other factors

@tokyo_0 on ios at least, unlocking your device does not unlock your passkeys. passkeys require an additional scan the same way going into your passcode controls requires your passcode. again, i can’t speak to whether or not android implements basic, common-sense security, but this isn’t a real problem on ios. you would know if they were trying to get into your password manager because they’d have to make you specifically unlock that.

@tokyo_0 this is honestly an extremely silly question. passkeys are not more vulnerable to physical coercion than passwords and 2fa are. (apple’s biometric sensors already check for blood flow btw, so cutting off a finger isn’t much help there — can’t speak for all the android OEMs).

if someone was going to steal a rich person’s finger to unlock their password manager, staying away from passkeys doesn’t stop that from happening.

@tokyo_0 obviously google can’t decrypt your passkeys the same way apple can’t decrypt your imessages.

Oh, that app that promised to bring iMessage to Android was actually logging all messages and attachments and making them publicly available for literally anyone to download and didn’t use any sort of encryption at all, including sending login credentials over plain HTTP?

Yeah, no kidding. Stop trusting these services, dummies.

@Gargron @Mastodon @neave fair enough, but it seems like a lot of servers are gonna get caught off guard by this.

i was given this server for Jewish folks, which i am not. worries me that people with anti-semitic views could be pushed onto such a server by default and create problems for the users and admins there. even if they wouldn’t seek out the server to join, it is now presented to them as the default here. a bit of an issue i think.

@Mastodon @neave OK, this was my first sign up attempt in the follow-up version. I would not say this is a better experience for newcomers haha.

@neave @Mastodon I tried it and I can assure you it is not excellent.

@neave @Mastodon Yeah, it’s pretty bad. The very first random server it gave me says if you’re not in New Zealand or connected to it, you can’t sign up. If I’m a new user looking at Mastodon for the first time, that’s a giant turnoff for me. Especially if I don’t understand the server concept, which is frankly not well explained on the app’s splash screen.

https://mas.to/@MikeBeas/109831188732367267