I host a few docker containers and use nginx proxy manager to access them externally since I like to have access away from home. Most of them have some sort of login system but there are a few examples where there isn’t so I currently don’t publicly expose them. I would ideally like to be able to use totp for this as well.
I’m so lucky I got my SO on board with using a password manager early on! However, the passwordless login (after figuring out how send a user to the enroll stage initially) makes it so smiple, don’t even need the federated Google login.
Passwordless is great, but perhaps you need to consider basic MFA to start? If that's you, it's time for a refresher. Spoiler: it's not heavy key fobs any more.
and no, the Magic Keyboard with Touch ID when paired with #VisionPro does not permit the use of Touch ID
i even asked this to an Apple salesperson and they didn't know and they scoffed at the question because "there's Optic ID why would you want a second factor of authentication?!?"
I'm trying to manage my Microsoft Account protections, with an ultimate goal of protecting it with a passkey and maybe dropping my password to make the account truly paswordless. However I'm running into some weird idiosyncracies on https://account.live.com/proofs/manage/additional that have prevented me from achieving this:
I couldn't actually see the WebAuthn option at all in the latest macOS Safari - I had to switch to macOS Chrome before the "Windows Hello" option appeared that let me then register an iCloud Keychain-synced passkey.
I removed my phone number as a second factor because SIM jacking is a thing. However the next time I tried to log in I was prompted to add my phone number to "never lose access to your Microsoft account"...but I have other BETTER second-factors configured, so why would I want to continue to allow use of weak SMS OTP? At least I could cancel out and continue on without giving them my phone number again...
Attempting to turn on "Passwordless account" forces you down a path that wants you to set up the Microsoft authenticator app. But I already have a synced passkey in the mix, so why are you bothering with app-based push? Push bombing is also an easy way to get past 2FA protections.
Another example of how the left hand doesn't know what the right hand is doing...
It's been six months — half a year — since Firefox 114 was released with support for FIDO2/WebAuthn. Microsoft 365 support is still broken, particularly for Linux users. You can register a security key but cannot authenticate using it.
Amusingly, Microsoft doesn't even support its Edge browser on Linux.
When implementing #WebAuthn on an Identity Provider's side. Where exactly should one draw the line between #SecurityKey and #Passkey? I see that most platforms make a distinction between those. Can anyone link me some article or blog post on this topic? If I were to implement security key and passkey support on a provider that does not yet support any WebAuthn, should I go down the same route?
My current assumption is that during passkey registration you'd set "residentKey = required" and "userVerification = required", whereas for a security key you'd set "residentKey = discouraged" and "userVerification = preferred".
Also, I'm assuming that a security key can also function as a form of #passwordless multi-factor authentication if UV was true during registration AND authentication. Obviously without the neat part of Passkeys where you don't have to manually enter the username.
Les mots de passe sont-ils obsolètes ? Les alternatives pour un avenir sécurisé au Lundi de la #cybersécurité du 11 décembre avec Renaud LIFCHITZ @nono2357
Tooting the horn since it's been a while: I'm the lead maintainer for the Ruby passkeys organization, and we're actively looking for help: https://github.com/ruby-passkeys#help-needed
If you'd like to help make sure that Ruby apps are future-proofed from the start and markedly improve everyone's security, please reach out!
While I do love #Passkeys and generally #Passwordless, I hate that it "attracts" security "professionals" acting as consultants and spewing shit like "biometry such as Windows Hello login helps against phishing because you don't need to enter a password that can be phished and used for remote logon".
Windows Hello is a technology for local device-bound login. It replaces local, device-bound passwords. Even if I'd be able to phish it, I cannot remotely (that was their whole point) log in.
Of course there exists crapware AD/AAD that syncs local credentials, but you can turn that shit off.
We should really focus on differentiating between local/device-credentials and remote logins. Mixing those is a real danger.
Just logged into CVS and they prompted me to enroll a passkey. Super easy. 3 steps and I'm done. (For this browser, on this laptop — sync is the next hurdle.) #passwordless#authentication#passkey
With Google recently announcing “The beginning of the end of the password” I started thinking about #WordPress and what plugins are available that allow for #passkey support for #authentication. Using only your username you can use the passkey system to use your computer or mobile device to perform the rest of the login sequence.
Looking for a reverse proxy to put any service behind a login for external access.
I host a few docker containers and use nginx proxy manager to access them externally since I like to have access away from home. Most of them have some sort of login system but there are a few examples where there isn’t so I currently don’t publicly expose them. I would ideally like to be able to use totp for this as well.