#passkeys
@cy @dirksche @eingfoan @kuketzblog
100% agree ❤️ Ich fummel halt lieber noch selber in Dateisystemen rum und finde alles mit grep/ack und find/fd 🤓
"With passwords and SSH keys, I can look at them. I can copy and paste them. I can write them down on a piece of paper. I can import and export them. I can back them up to external hard storage. Whereas in my testing with macOS Ventura and Safari, none of this is possible with Passkeys. In fact, Apple requires you to enable iCloud and iCloud Keychain in order to save a Passkey on a macOS or iOS device."
― Jeff Johnson (https://lapcatsoftware.com/articles/2023/5/1.html)
#passwords #passkeys #sshkey
#selfhosting
#selfdetermined #digitalsovereignty
Nutzt du schon #passkeys?
(Gerne teilen für mehr Reichweite)
Silly little #Passkeys world. We were testing passkey usability (specifically #FIDO2 passkeys with #Google, #Microsoft and #Amazon) when we discovered that the implementation side has gone awry. Results:
1. Passkeys mostly don't work on mobile browsers, despite most passkey tech being fit for mobile use.
2. There is a huge difference between operating system/browser combinations when it comes to setting up and using passkeys.
3. Even between close OS versions, certain versions might have different properties (eg between win11 and win10 there are differences).
4. Windows is especially messy. Setting up passkeys often works through windows hello (on chromium based browsers). Don't have that enabled? Well, shucks. Better look somewhere else.
5. Firefox lacks setup support but once you've set up a passkey in chrome on windows11, you can use it on Firefox (not on win10 though, punk. Better back off). You cannot use it on MacOS with Firefox. Linux is weird when it comes to that. Depends whether Devs had time to implement it, it seems.
TLDR: While passkeys are great in theory, adoption/implementation seems to have been botched or not fleshed out yet. The best implementation (to our surprise) we have seen from the big ones was Amazon.
What good are standards when implementation is done...like that?
Note: we haven't done too much reproduction of this yet, so take these results with a grain of salt.
Alle reden von #Passkeys und ich frage mich ob das technisch etwas anderes ist als Smartcards, die es ja schon ewig gibt und die man auch schon ewig im Web benutzen könnte.
Leuk hoor, passkeys. Het zou nog leuker zijn als de Nederlandstalige it-sector een eenduidige vertaling zou kunnen kiezen. Heb al vier varianten gezien: wachtwoordsleutels, wachtwoordcodes, toegangssleutels, toegangscodes. Vind zelf toegangssleutels het mooist. #passkeys
@isAutonomous
Ich glaube diese #passkeys könnten das Rennen für die meisten "normalen" Endanwender machen.
Aber ich habe (noch?) kein gutes Gefühl dabei, wenn meine privaten keys meinen Rechner verlassen und auf fremden Rechnern ("Cloud") gespeichert werden. Warum kann ich die nicht einfach als "Pro" in meiner Private Cloud oder auf meinen Rechnern speichern? Warum MUSS ich sie mit dem sichersten Passwort aller Zeiten besonders gut absichern? Oder werde ich auch weiterhin 100-stellige zufällig generierte Passwörter mit zweitem Faktor nutzen? 🤔
@caschys_blog
Mehr Bullshit-Security-Theater bei Kleinanzeigen. Kann es kaum erwarten.
Wie wär's mit #Passkeys ?
🔍 The Trust & Identity Incubator from the @geant project (GN5-1) has released an insightful white paper on Passkeys Use and Deployment for R&E Services.
🔐 Explore the secure and convenient alternative to passwords, detailing how they function, usage, implementation aspects for R&E services, and future development steps.
Sieht so aus, als würde #paypal nun endlich #passkeys und #securitykeys anbieten!
Okay, have a #selenium question related to #passkeys:
Does anyone have good working examples of using Virtual Authenticators in WebDrivers? Particularly; adding a credential. The use case is pre-loading a credential as part of the test suite
The documentation is sparse, and I'm chasing my own tail while searching; and only getting a very vague error: {"code":-32000,"message":"An error occurred trying to create the credential”}
https://www.selenium.dev/documentation/webdriver/interactions/virtual_authenticator/
cc: @rmondello @nsa ?
Did you know that a couple of months ago @damashe and I sat down and published Unmute Presents - Passkeys? If not, listen at this link: https://pnc.st/s/unmute-presents-on-acb-communi/37484b9f/unmute-presents-passkeys #Passkeys #Technology
Are there mailclients and servers which can use #passkeys to authenticate users?
Is it technically possible?
My #passkeys aren’t working again, and I was bored yesterday, so I played a game of “keep tapping try again”. At some point, the #passkey was loaded/found. 🤷♂️ I can reproduce that all the time. I went to the Feedback Assistant and opened this one: FB13408819. I hope the logs shared can give them some light.
@rmondello
#PasskeysSaga
I’ve just disabled Advanced Data Protection and restarted my iPhone (ctrl+alt+delete life). #Passkeys are working again and let’s see for how long. If you want to follow my passkey issues saga, follow the hashtag #PasskeysSaga 😉
I thought configuring #Passkeys would make logging into accounts easier but PayPal proved me completely wrong: Now I have to enter my password, authenticate with FaceID AND with a code from the 2FA app. Every fucking time.
#Passkeys aren’t working on my #iPhone… again!!! 😕🙁🙁☹️😔😣😖😫😩😭😭😭😭😭
#PasskeysSaga
Ich muss ja gestehen... diese #Passkeys fidoalliance.org/passkeys/ hab ich nicht verstanden...
Wem geht es noch so?
Mal zwei #Google #Titan Hardware-#Security-#Token bestellt. (Mit Newsletter-Anmeldung gibt es 10 EUR Rabatt.)
Die #Passkeys möchte ich mir mal genauer anschauen und mein #YubiKey kann das leider nicht. Wenn die OS-Hersteller das nicht wieder verkacken indem sie das mit irgendwelchem Cloud-Sync verdongeln, hat das glaube ich Potential. Im Prinzip die ssh-Auth auf Webseiten übertragen.
"Google bringt neue Titan-Sicherheitsschlüssel mit Platz für viele Passkeys"
https://www.heise.de/news/Passkeys-Google-bringt-neue-Titan-Sicherheitsschluessel-9532058.html
I saw someone mention passkeys and it made me think, is there a way to have them in iCloud password manager AND in 1Password? #passkey #passkeys #iCloud #1Password
This "BPoP" (Browser Proof of Possession) proposal out of Microsoft is really interesting! If you've bemoaned the loss of Token Binding then you owe it to yourself to read this explainer they just published:
https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/BindingContext/explainer.md
I think the tl;dr is "bind session tokens to browsers using browser-managed public-key cryptography."
And I'm excited by the idea as a potential solution to the question of, "how do we defend against session token theft after passkeys lock down credential theft as a vector of attack?" 🤔
"The next planned target for enabling #Passkeys is #Firefox 122."
https://connect.mozilla.org/t5/ideas/support-webauthn-passkeys/idc-p/45437/highlight/true#M26276
With #passkeys arrival in Enpass I am more actively looking into adopting it and finally leaving 1Password 7 (yes the old one with local vaults) behind. What I want from my password manager is relatively simple: Good and native integration to macOS and iOS, Safari support, export and backup option (no, syncing to vendor’s cloud is not a backup) and option to use my own storage/sync provider (or none).
I really like some aspects of #passkeys, but I'm not quite there yet to start adopting it for my private use cases. What I don't like at all is that no password manager (iCloud Keychain, 1Password, Enpass, …) supports manual, full backups, including o/c the private keys! This also prevents transfers between tools. IMO a -major- disadvantage to good old passwords 🙁
Well, that answers that question. 😭
And I assume this error was mistakenly put in a transient-error bucket, for which "try later today" is an applicable response. This error doesn't appear fleeting.
Missing from passkeys.directory:
whether security keys are supported for passkey storage
whether passkeys are supported in the desktop website vs the mobile app
So! Signing out from iCloud and signing back in worked. #Passkeys are working again. But it is painful! Now my phone is hot and angry synching everything. Oh, and I will have to spend the next few days adjusting things like adding my cards back to the wallet app, answering infinite — Windows Vista — permission requests, and usual problems with Apple Watch. :prami_upset:
#PasskeysSaga
Yeah, it’s broken! All my #passkeys are invalid on my iPhone. I will try to contact Apple Support later this week. Good luck to me. 😞
#PasskeysSaga
oh no... something wrong with #Passkeys. I'm generating them with my Mac, and I can't use them on my iPhone… :sweat_blob:
#PasskeysSaga
Third-party data breach affecting Canadian government could involve data from 1999
Canadian friends dealing with a lot right now… two third-party contractors to the Canadian government breached. Lots of data compromised, scope is hard to determine.
Tighten security on your accounts (use MFA, use strong passwords, consider using #passkeys or hardware keys where supported) and be extra cautious of unsolicited communications. Monitor personal accounts for anomalous (potentially malicious) activity.
#databreach #cybersecurity #security #infosec
https://www.theregister.com/2023/11/21/thirdparty_data_breach_at_canadian/
Yubico has a cyber week 50% off sale on a second key https://www.yubico.com/de/store/2023/cyber-week/ #passkeys #mfa
How to use passkeys to secure your Google account on Windows, macOS and mobile devices
#passkeys #google #windows11 #macos
https://tchlp.com/47FHpQ5
FCC adopts new rules to protect consumers from SIM-swapping attacks
FCC mandates wireless service providers adopt "secure methods" for authenticating a users before transferring out phone numbers.
Services (financial sector, I am looking at you) should also do their part... make SIM-swapping even less attractive by moving to TOTP #MFA / #2fa or supporting hardware keys / #passkeys
#Development #Showcases
The web can do what!? · A showcase of the incredible capabilities of the modern web https://ilo.im/15ha8z
_____
#WebDev #WebPerf #WebTechnologies #PassKeys #WebAssembly #WebGPU #API #Frontend #HTML #CSS #JavaScript
These look interesting! I had a set of the originals. Eventually replaced with my Yubikey 5. But definitely like the idea of my critical passkeys on a HW token and not in my password vault. Plus the PIN unlock.
https://www.wired.com/story/google-titan-security-key-passkeys/
Spent the entire holiday studying. Still having lots of difficulty with React, my head just can't wrap around the syntax of this thing.
At least I finished setting up my old laptop with Ubuntu. Thanks to passkeys on @1password, setting all my apps and browsers was a breeze. It's nice to live in the future!
Well, that's the source of the key I found on eBay. How did I not hear about these new security keys sooner??
"Google’s new Titan Security Keys let you store passkeys"
https://9to5google.com/2023/11/15/titan-security-key-passkey/
And the Google blog post says they hold up to 250 passkeys.
Blog post: https://blog.google/technology/safety-security/titan-security-key-google-store/
Google Store link (waitlist only at this writing): https://store.google.com/product/titan_security_key
In the midst of the Passkeys hype, a quick reminder for browser makers that developers would definitely benefit from an open API that could be used to listen WebAuthn/Passkeys requests directly in a friendly way. Currently every password manager browser extension injects JavaScript to all web pages because they don't have any other option.
Ping @mozilla
#Passkeys promise to prevent #phishing. What are they and how do they work? https://www.eff.org/what-is-a-passkey
Passkeys.directory is a community-driven index of websites, apps, and services that offer signing in with #passkeys.
Neither @protonmail nor @Tutanota support passkeys as a password-less authentication method, and at least @protonmail does not support security key/passkey only 2FA. (I don't know if @Tutanota does)
I mean, these providers are supposed to be top-notch secure email providers. Why are they so far behind? Any serious alternatives? Paying customer here.
We really need to replace passwords with #passkeys, and much sooner...
https://www.darkreading.com/endpoint/mgm-and-caesars-attacks-highlight-social-engineering-risks
@quincy @thomasjorgensen @lobingera @glynmoody in fact didn't they try countless times to force shit that noone wants onto people, from #Passkeys to removing the #URL to "#WebIntegrityFramework" aka. mandatory #ads that one can't disable...
Let's not forget #Google - like all #GAFAMs - was a #PRISM collaborator, is subject to #CliudAct and #ITAR and thus not only capable but able and willing beyond the legally mandated minimums to do so.
DON'T TRUST GOOGLE - or anyone!
@bitwarden Really really need mobile #passkeys, but I understand it may be difficult especially on #iOS. Kudos
New! Manage #passkeys inside your Bitwarden vault! Use the latest in secure passwordless technologies with the Bitwarden browser extension. Learn more in this blog and by joining the webcast on Nov. 9: https://bitwarden.com/blog/bitwarden-launches-passkey-management/
It seems that moving between Password Managers with #Passkeys will become a nightmare! I’ve moved back to iCloud Keychain, and sometimes I have to re-enable :1password: 1Password because the Passkey is there. 😕 Fortunately, I don’t have many Passkeys, but in the future, this will be a problem if I plan to change my Password Manager again. 🤔
News for all security enthusiasts and Bitwarden users! 🎉
The latest update of the Bitwarden browser extension allows you to save passkeys! Say goodbye to the hassle of remembering complex passwords. 🔒✨ #BitwardenUpdate #Passkeys #OnlineSecurity
https://www.theverge.com/2023/11/2/23943173/bitwarden-passkey-support-released-browser-extension
#Passkeys have a lot of confusion and valid criticism against them. However, there is one huge benefit that I feel like no one is talking about: they effectively eliminate password breaches as we know it!
#security #cybersecurity #passwords #technology
🧵1/2
It looks like BitWarden is following suit with 1Password and returning "uv:true" in WebAuthn authentication requests even though the user isn't prompted for anything more than to confirm the use of a passkey. The unlocking of the vault is considered the user-verifying event...
As an end user I appreciate the streamlined experience. But as an RP I'm disappointed - what if vault unlock occurred 5/10/30 minutes prior? Someone could cruise by someone's desk when the vault is unlocked and auth as the vault owner and the RP would be none the wiser 😢
It's a tough middle point that passkey providers have to try and find 🥴
#Bitwarden Adds Support for #Passkeys - Release Notes :bitwarden:
I've rooted for so many methods to finally retire the password from our toolbox of authentication methods, I can't even remember what got me started. So I hold a lot of hope that Passkeys are finally the thing that will stick. But security is messy, and everything comes with downsides. What are some of the the downsides of the passkey? A review.
https://osma.medium.com/the-trouble-with-passkeys-64c791ef5620
#passkeys #authentication #infosec
@stevetex Safari also has full support to #passkeys I should say.
I am sad I had to stop using #firefox more often now because it is the only major browser that doesn’t support it.
Do you have any insight of what could be going on?!?
BTW: Firefox is still my Decatur browser but yesterday I had to switch to use safari… :/
Hey @mozilla : yesterday I was poking around #passkeys and had to stop using #firefox because it was not working… I could not sign in into a service I use everyday…
Do you have an insight of when it will be fully supported?
It is becoming more difficult for me to continue using Firefox as my default browser…
Only the YubiKey 5 series supports creating and storing passkeys ("resident WebAuthn credentials"), and you can only store 25 of them.
Also, non-passkey use of YubiKeys appears to no longer be [reliably*] supported by Google's Advanced Protection Program. You have to create a reliable passkey, then delete and re-add all of your existing keys (listed under "2-step verification only security keys"). Some of my keys are ... extremely offsite, so it will take time to restore my previous levels of redundancy.
I think I'm starting to understand how we got here, but I'm still unhappy that the benefits of the previous model - in which unlimited sites could be used with each security key, and U2F keys were backward compatible - are gone.
I also feel as though Google, Yubico, and others could have done a better job of communicating the consequences for advanced users ... in advance. Instead, Google searches for "2-step verification only security keys" currently only produce 5 results, which are Reddit threads full of commiserators and Google support threads like this one that are locked without response:
* Once any passkeys use is enabled, some APP users (including me) can sometimes do a fresh Google login from scratch on a new device with only a security key .. but other times, any "2-step verification only" key you try is rejected as unrecognized. I do not know what the variability is - and the forums are full of people with similar complaints.
UPDATE: On further testing, and based on reports from others on the side, it may be that the symptoms I (and the folks in the forums) experienced were a problem for the first few months at launch, but may have been fixed. It last failed for me about a month ago, but I'm unable to recreate from Incognito. But since Google uses many signals to determine how to prompt for what kind of MFA, I am not at all confident that I will be able to use non-passkey security keys from a fresh computer in a new geographic location away from my phone. If Google fixed something , I do wish they'd say something about it somewhere, so that I can key with confidence!
Update 2: a friendly, authoritative reply that we don't think anything has changed, so the symptoms are still mysterious (and maybe more common if a PIN is set on the key?):
https://infosec.exchange/@skarra/111309708728390341
Update 3: And to head off some side questions - this doesn't diminish my YubiKey fanboy-ness. :D I do see the trade-offs, and the middle ground for me will probably look something like storing my "top 20" critical passkeys on YubiKeys, and keeping all the others in a password-management layer.
My other toot on this topic from a couple of days ago:
https://mas.to/@osma/111290880806917131
I think I'll write a longer post on these issues, actually. If you'd like to help me by reading a draft before I hit publish on it, please let me know. I might have something for you over the weekend.
#passkeys #authentication #infosec
Here's a good primer on Passkeys, the finally-it's-here standard to kill off passwords.
I just don't believe that those corporate polcies which incorporated 2FA will recognize a passkey being a sufficient replacement of both password and TOPT, or that those policies which didn't, would recognize passkeys at all. Please prove me wrong, though!
https://www.eff.org/deeplinks/2023/10/what-passkey
#passkeys #infosec
@eff has a great writeup how #PassKeys work, why they are an important step forward in security, and talk about which password managers and devices currently support it (and which ones do sync, see above). https://www.eff.org/what-is-a-passkey
#Business #Explainers
Passkeys and privacy · How does the password alternative affect your privacy? https://ilo.im/15e3yb
_____
#Privacy #Security #Development #WebDev #Website #Authentication #Passwords #Passkeys
The EFF published a pretty optimistic article about passkeys and privacy 🎉
For most purposes, passkeys will represent a significant improvement in security at nearly zero cost to privacy. As described in the previous post, there are still significant growing pains in the passkey ecosystem, but they will likely be resolved in the near future.
@bitwarden Are you still hoping to launch #passkeys in October?
Thinking about getting myself a #Yubikey, but I'm a little worried if newer technologies like #passkeys and #fido2 or whatever may be better? I honestly don't know much about the world of hardware keys for #authentication and #security stuff
Join the Bitwarden team Nov. 9th for a discussion about #passkeys, how they make you more secure, and how Bitwarden users can leverage them today. https://www.crowdcast.io/c/passkeys-bitwarden
Now that the rollout of Passkeys is at the point where consumers are encountering them - is the future of MFA:
- Needing both a passkey AND a password?
- Passkey and TOPT?
- Two passkeys from separate devices?
- F passkeys, MFA will be passwords and TOPT forever
- What's MFA?
