Bist du es leid, dir unzählige #Passwörter zu merken? Die neueste Technologie der #Passkeys verspricht eine einfache Lösung.
Aber wie nah sind wir wirklich an dieser Zukunft? In meinem neuesten Blogbeitrag werfe ich einen kritischen Blick auf die aktuellen Herausforderungen von Passkeys.
Erfahre mehr über die Zukunft der digitalen Authentifizierung. 🚀💻
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
Am I the only one confused by #passkeys? They feel clunky, it's not at all clear what is going on, and honestly doesn't feel any different than a password manager (but somehow worse)
I really don't even understand what is going on under the hood. Are there any good explainers out there? #ux#passkey
»Manche halten »Schalke04« für einen guten Verein, aber es ist kein gutes #Passwort«
Alle Jahre wieder ein Thema und ich habe immer noch die selbe Antwort:
Nutzt generierte Passwörter mittels @keepassxc oder @bitwarden und zusätzlich mit einer #2FA / #TOTP Eingabe gesichert – Eine Kreativität ist nicht sicher in der #IT, die vorhin erwähnte Technik aber schon und (zukünftig) noch die #Passkey Methode.
Ich hoffe, das Passkeys diesbezüglich nicht betroffen ist so wie Passwort-Manager wie @keepassxc, @bitwarden inklusive 2FA schon einen grösseren Schutz gegenüber der KI ergibt.
»GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen:
Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann.«
Mist, jetzt hatte ich doch Hoffnung und Glaube, dass PassKey unanfälliger ist als Password-Logins. Zugegeben, es ist dessen Hilfsmittel und nicht deren Definition aber trotzdem.
»FIDO2-Sticks: Lücke in Yubikey-Verwaltungssoftware erlaubt Rechteausweitung.
Um die FIDO2-Sticks von Yubikey zu verwalten, stellt der Hersteller eine Software bereit. Eine Lücke darin ermöglicht die Ausweitung der Rechte.«
Nun wird PassKey populärer und hoffentlich sehen dies auch genügend Firmen ein. Meistens ist ja deren Kosten die Ausrede, weil es anscheinend nichts einbringt. Sicherheit aber richtig und nicht vorgegaukelt bringt immer was!
I’m all for the idea of passkeys. But I am not for the idea of Google or Apple knowing my fingerprint or face. I have all that turned off as strongly as possible without searing off my fingerprints or cutting off my face.
First screenshot is the real PIN prompt, second one is a JavaScript prompt() with a custom prompt text.
The only differences are:
• PIN dialog is at the top of the window, prompt() centered.
• PIN dialog says "Sign In" on the button, prompt() says "OK" (which is not customizable).
• PIN dialog has "https://", prompt() just the domain.
I'd say that makes it pretty trivial to phish for Passkey PINs … 🤦♂️
eBay just offered to let me set up a #passkey. Naturally, I decided this was a good idea. Except they only let me set up one passkey. That's not how this is supposed to work. That's not how any of this is supposed to work, eBay!
Now that my favorite browser #Firefox and beloved password manager #KeePassXC both support #Passkeys decided to spent some time checking them out.
And boy oh boy are passkeys not ready yet in Firefox. I love Firefox and wish them well, but they really need to do some testing. There are major issues.
#PassKey creation is straight-up broken and resulting in reproducible crashes on both google.com and webauthn.io
Now that all major desktop browsers support #Passkeyscaniuse.com/passkeys is there an effort happening to create browser level APIs open to everybody to ensure passkeys can be used effectively?
While #1Password open sourced their implementation blog.1password.com/passkey-cra… of #passkey-crates the question is: is any work happening on Passkey APIs for browser extensions (i.a. password managers) to use.
While it is great to see big tech move the needle on this and announce their implementations and push this technology, it is a pity those efforts seem to focus around siloing and limiting passkey usage to their implmenetation / tech.
For example Apple makes it impossible for e.g. @keepassxc to generate passkeys in the browser.
Are there plans to work on open browser APIs? is there any public info / efforts you are aware of and can share @rmondello? Specifically for #macOS it would be great if Passkey creation / authentication could be used via Apple APIs.
Does anyone know of a modern #Android phone which allows call recording without root?
I'm currently on an aging 5T running #LineageOS and can record calls just fine - a button in the dialler lets me record straight from the line. I don't need to put it on speaker and record via the microphone.
(Looking for 1st hand experience, not search results. No need to reply to discuss the legality of call recording. I need root-less for online banking etc.)
The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn.