beli3ver, German @protonprivacy warum sagt #protonpass bei mir das #Passkeys nicht möglich sind? Ich habe ein OnePlus 9 Pro with Android 14
why does #protonpass tell me that #passkeys are not possible? I have a OnePlus 9 Pro with Android 14
srueegger, German 🔑 Passkeys: Die passwortlose Zukunft ist da!
Bist du es leid, dir unzählige #Passwörter zu merken? Die neueste Technologie der #Passkeys verspricht eine einfache Lösung.
Aber wie nah sind wir wirklich an dieser Zukunft? In meinem neuesten Blogbeitrag werfe ich einen kritischen Blick auf die aktuellen Herausforderungen von Passkeys.
Erfahre mehr über die Zukunft der digitalen Authentifizierung. 🚀💻
#password #login #passwort #passkey
https://rueegger.me/2024/05/05/die-herausforderungen-der-passkeys-eine-zukunft-ohne-passwoerter/
jela, German Das #NIST hat ihre Richtlinien zur digitalen Identität für die Verwendung von #Passkeys ergänzt. US-Behörden können synchronisierbare und gerätegebundene Passkeys verwenden, um eine Phishing-resistente #Authentisierung zu ermöglichen.
https://www.nist.gov/blogs/cybersecurity-insights/giving-nist-digital-identity-guidelines-boost-supplement-incorporating
jnareb, I'm very disappointed that passkeys (allegedly) got enshittified before I could start to try to use them: https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
schizanon, PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
#passkeys #fido2 #webauthn #yubikey #2fa #otp #authentication #cryptography #security #passwords #passkey #password #securityKey #google
vintprox, @magitism @schizanon In other words... "magic link" but with extra steps.
firefly, Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.See here:
https://www.metzdowd.com/pipermail/cryptography/2023-September/038186.html
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
and here:
https://www.metzdowd.com/pipermail/cryptography/2023-September/038188.html
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
#Passkeys #Passkey #Passwords #Password #2FactorAuth #Authentication #Security #Cryptography
scottjenson, Am I the only one confused by #passkeys? They feel clunky, it's not at all clear what is going on, and honestly doesn't feel any different than a password manager (but somehow worse)
I really don't even understand what is going on under the hood. Are there any good explainers out there?
#ux #passkey
Ciantic, @scottjenson The main problem for me is that browser vendors have intentionally made passkeys difficult to use without hardware keys. There are clunky ways to emulate Bluetooth hardware keys purely in software but that just adds to the confusion.
I would've preferred tight integration with something we know, like GPG/PGP, though that stack has its own set of issues (mainly that there are not good secondary implementations, but they might be resolved.)
grantpotter, If you really want #passkeys put them in a password manager you control. But don't use a platform controlled passkey store, and be very careful with security keys. https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
JetForMe, I recently implemented Passkey support in one of my apps, and ran into some limitations of the spec. I had no idea it was this bad.
I had assumed I’d be able to get my passkeys out of my Apple devices, but hadn’t put any real thought into that.
“Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity.”
#passkeys #webauthn #apple
https://infosec.exchange/@firstyear/112335226264184474
katzenberger, @firstyear , the author of webauthn-rs, on #passkeys (I don't agree with everything in the article):
»starting to agree - a password manager gives a better experience than passkeys.[…]
Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your #passwords and manage them. If you really want passkeys, put them in a password #manager you control. But don't use a platform controlled passkey store, and be very careful with security keys.«
https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
kas, Passkeys: A Shattered Dream
🔗 https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
hateaid, German yqUxBV#_\jfVyD!mZ8RH7]Te8jqKA![? – auch dieses Passwort kann geknackt werden. Deshalb bieten immer mehr Dienste [#Passkeys als Login-Alternative an. Lest hier, wie sie genau funktionieren und was sie so sicher macht: https://hateaid.org/sicheres-passwort/?mtm_campaign=tsp-it-sicherheit-passkeys&mtm_kwd=mastodon
Dieses Projekt wird unterstützt vom Bundesministerium der Justiz.
nsa, New post on choosing the right
timeout
value in #WebAuthn!tl;dr
- design your challenge-response protocol to allow for a very long value
- whatever you do, don't leave it to the default value
ianRobinson, What account should I use as my first experimental login to convert to using passkeys?
PayPal?
I know you don't know what systems I use, so this is a bit of a meaningless question. But do you know of any popular systems that a lot of people use that now support passkeys?
Preferably ones that can be stored and used by 1Password 8. Maybe I should do 1Password first if they support passkeys.
Unlogic, @ianRobinson I have initially switched to passkeys for eBay and GitHub. Storing them with KeePassXC.
ianRobinson, @Unlogic Ta!
protonprivacy, Hate #passwords? Use #passkeys!
This new and easy way to secure your accounts removes the need for passwords by authenticating you with your device. Passkeys also provide a higher protection against #phishing attacks.
Here’s how to get started with #passkeys on #ProtonPass #Android, #iOS and browser extension. https://proton.me/blog/what-is-a-passkey
protonprivacy,
case2tv, @protonprivacy make them available for Firefox and I will try.
Until know passkeys are not working 🤷♂️
fission, Local first passkey login 🙌 🔒 🔑
https://github.com/mylofi/webauthn-local-client
#LocalFirstSoftware #LoFiSoftware #LocalFirst #passkeys #webauthn
bsi, German Nie mehr komplizierte Passwörter! Mit #Passkeys könnt ihr endlich auf sie verzichten – die Einrichtung ist einfach und die #Authentisierung basiert auf einem kryptografischen Verfahren. Mehr dazu: 👉 https://www.bsi.bund.de/dok/1107468
ljrk, @larma @TuxOnBike Nein, wie eben woanders beschrieben, kriegt man damit maximal Zugriff auf das verschlüsselte Backup, nicht auf den Key.
Und das Szenario ist gar nicht so theoretisch sondern Standardpraxis.
ljrk,
protonprivacy, By popular request, #ProtonPass now supports #passkeys — on all devices, for everyone.
Passkeys provide a secure and convenient alternative to passwords.
✨ Save, store and edit passkeys in Proton Pass.
protonprivacy, @bru We are fans of Firefox as well, and look forward to the submission to the extension store getting approved.
There are few services that actually replace the the password completely with a passkey, so you can log in as normal on Firefox until the new submission is approved.
protonprivacy, @bru We can confirm that it's been approved now.
dominic, French Les #passkeys sont enfin désormais supportées par #ProtonPass de @protonprivacy sur tous les appareils compatibles et les types de comptes (autant gratuits que payants). Ne manque plus que la possibilité de classer les données par dossiers ou étiquettes (labels).
dominic, @protonprivacy Oh, it has been changed in the plan ? On last october it was 20 vault in paid plan, as it is said in this page for exemple : https://proton.me/blog/password-sharing
Thank you !
protonprivacy, @dominic Yes, it's changed since about a month ago.
Belganon, French #ProtonPass, le gestionnaire de #MotDePasse de @protonprivacy, prend désormais en charge les #PassKeys. Peu de sites utilisent déjà cette technologie, mais le nombre augmente de plus en plus. Une nouvelle couche de #sécurité pour vos connections, plus performante et sûr que la #2FA
protonprivacy, @error_500 @Belganon Proton's encryption provides privacy by default - the content of your emails, files on Proton Drive, calendar, passwords on Proton Pass etc. remains inaccessible to us, and therefore we cannot share it with any third-parties, including law enforcement included. As any legally operating company, we have to comply to the local legislation, but no legal request can bypass the encryption we provide, which has been proved multiple times in court.
Belganon, French @protonprivacy @error_500 Merci pour vos précisions que je connaissaient déjà. Je suis et resterai un utilisateur «Unlimited» 😉
mjgardner, Shots fired at @bitwarden: “And many #password managers only support #passkeys on specific platforms…”
When will we be able to create and use #Bitwarden passkeys outside of the browser extension? https://mastodon.social/@protonprivacy/112134037609531372
bitwarden, @mjgardner Very soon!
We can't wait to share the next step of passkey implementation with the community. Here's a hint: mobile support is next! 🔑
floyd, #Passkeys: reinventing TLS client certificate authentication that is proxyable and all private keys stored in the cloud and then of course the connection is only on one side TLS authenticated and therefore MITM-able from the other (aka proxyable, yes yes CAs and stuff but ya' know). Does this sound about right?
filippo, @floyd Pretty much. The idea is that this might actually be usable enough to replace phishable bearer tokens, which nothing else succeeded at replacing so far. Usability has value.
cryptgoat, German Die neue Version vom freien #Passwortmanager #KeePassXC ist da und bringt neben vielen Detailverbesserungen Unterstützung für #Passkeys: https://keepassxc.org/blog/2024-03-10-2.7.7-released/
#Passwörter #Sicherheit #Security #FreeSoftware
tuxwise, #KeePassXC 2.7.7 released:
- Support for #passkeys (!)
- Upgraded import: #1Password, #Bitwarden
- Several bugfixes
Don't be shy, @keepassxc - post about it, here, on Mastodon 😉
Wiulinu, German Hello passkeys :)
wilhelm, Now that all major desktop browsers support #Passkeys caniuse.com/passkeys is there an effort happening to create browser level APIs open to everybody to ensure passkeys can be used effectively?
While #1Password open sourced their implementation blog.1password.com/passkey-cra… of #passkey-crates the question is: is any work happening on Passkey APIs for browser extensions (i.a. password managers) to use.
While it is great to see big tech move the needle on this and announce their implementations and push this technology, it is a pity those efforts seem to focus around siloing and limiting passkey usage to their implmenetation / tech.
For example Apple makes it impossible for e.g. @keepassxc to generate passkeys in the browser.
Are there plans to work on open browser APIs? is there any public info / efforts you are aware of and can share @rmondello? Specifically for #macOS it would be great if Passkey creation / authentication could be used via Apple APIs.