gme,

I am concerned that the industry push away from passwords towards security keys and biometrics is a giant step backwards for civil liberties in the US.

A person in the US can’t be compelled to give up their password (usually, of course there are exceptions, but they are few and don’t affect the average person) as that would be considered a violation of several US Constitutional amendments (mainly the 4th and 5th).

In addition, there are few (if any) 4th amendment protections for any data that is stored “in the cloud”. Service providers can, and have been, compelled to disclose sensitive information in their custody that “belongs” to a person, organization, or other “entity”.

But more alarming is that an American citizen does not have any 4th or 5th amendment protections against being forced to look at phone or computer to unlock its contents, or to provide a finger to do the same.

There are even issues with Yubikeys. They are physical keys and anybody with access to them can unlock any system that is protected with them.

So forgive me for not jumping on the passkey, Windows Hello, and other security key bandwagon and avoiding those technologies when I can.

Sure, they’re convenient!

But at what cost?

feld,
@feld@bikeshed.party avatar

as long as you can protect the security key with a password it should be fine

gme,

@feld Is that possible with passkey?

feld,
@feld@bikeshed.party avatar

yes, but I don't know of a way to do it in practice except using the Apple PassKey implementation and turning off TouchID and FaceID so you have to put in a password to use it

gme,

@feld Doesn’t seem possible to do it with a Yubikey though, and this guy has configured his yubikey to decrypt his encrypted hard drive. Which is scary as fuck if you’re doing anything even remotely counter to the current political climate in your region.

https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/

(This is kinda what prompted me to write what I did.)

I like how he had to upgraded his yubikey services because the older version was more secure than what he wanted.

feld,
@feld@bikeshed.party avatar

If I could somehow make a PassKey out of my GPG/smartcard on my yubikey it would be possible for me to require my passphrase before the PassKey could be used.

I wonder if someone is working on this or if it's even possible.

madargon,
@madargon@is-a.cat avatar

@gme @feld with Yubikeys it is strongly dependent on configuration. There is many ways to set things up. In this article author purposely got rid of typing passwords (I tried this setup in the past, for only few days until I understood it would be very insecure). My current LUKS-Yubikey setup uses FIDO as described here: https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
and without FIDO PIN hard disk cannot be unlocked.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • DreamBathrooms
  • mdbf
  • osvaldo12
  • magazineikmin
  • tacticalgear
  • rosin
  • everett
  • Youngstown
  • khanakhh
  • slotface
  • ngwrru68w68
  • kavyap
  • InstantRegret
  • thenastyranch
  • megavids
  • ethstaker
  • GTA5RPClips
  • cubers
  • cisconetworking
  • Durango
  • tester
  • Leos
  • normalnudes
  • modclub
  • anitta
  • provamag3
  • JUstTest
  • lostlight
  • All magazines
    •